-
Notifications
You must be signed in to change notification settings - Fork 101
/
Windows_Ransomware_Cuba.yar
45 lines (43 loc) · 1.86 KB
/
Windows_Ransomware_Cuba.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
rule Windows_Ransomware_Cuba_e64a16b1 {
meta:
author = "Elastic Security"
id = "e64a16b1-262c-4835-bd95-4dde89dd75f4"
fingerprint = "840f2ebe2664db9a0918acf7d408ca8060ee0d3c330ad08b36e5be7f7e2cf069"
creation_date = "2021-08-04"
last_modified = "2021-10-04"
threat_name = "Windows.Ransomware.Cuba"
reference = "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
reference_sample = "33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a = { 45 EC 8B F9 8B 45 14 89 45 F0 8D 45 E4 50 8D 45 F8 66 0F 13 }
$HeaderCheck = { 8B 06 81 38 46 49 44 45 75 ?? 81 78 04 4C 2E 43 41 74 }
condition:
any of them
}
rule Windows_Ransomware_Cuba_95a98e69 {
meta:
author = "Elastic Security"
id = "95a98e69-ce6c-40c6-a05b-2366c663ad6e"
fingerprint = "05cfd7803692149a55d9ced84828422b66e8b301c8c2aae9ca33c6b68e29bcf8"
creation_date = "2021-08-04"
last_modified = "2021-10-04"
threat_name = "Windows.Ransomware.Cuba"
reference = "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
reference_sample = "00f18713f860dc8394fb23a1a2b6280d1eb2f20a487c175433a7b495a1ba408d"
severity = 90
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "windows"
strings:
$a1 = "We also inform that your databases, ftp server and file server were downloaded by us to our servers." ascii fullword
$a2 = "Good day. All your files are encrypted. For decryption contact us." ascii fullword
$a3 = ".cuba" wide fullword
condition:
all of them
}