From af4e71a6524dcb024635ae24e8b8e5c51f369ec5 Mon Sep 17 00:00:00 2001
From: Mar-Pic <marpic268@gmail.com>
Date: Tue, 25 Feb 2025 16:18:01 +0100
Subject: [PATCH] Update yara

---
 green_nailao/yara | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/green_nailao/yara b/green_nailao/yara
index 117f9a8..9092924 100644
--- a/green_nailao/yara
+++ b/green_nailao/yara
@@ -7,7 +7,7 @@ rule Windows_Ransomware_NailaoLoader_0 : malware {
         os = "Windows"
         category = "Ransomware"
         product = "p2a, mfd"
-        threat_name = "Windows.Ransomware.NailaoLoader"
+        threat_name = "Windows.Ransomware.NailaoLocker"
         samples = "5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035,7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3,fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4"
     strings:
         $asm_get_str_procs = {
@@ -39,7 +39,7 @@ rule Windows_Ransomware_NailaoLoader_0 : malware {
             80 7B ?1 ??
             0F 85 ?? 00 00 00
             80 7B ?2 ??
-            0F 85 ?? 00 00 00
+            0F 85 ?? 00 00 00 
         }
         $asm_unxor_paylaod ={           
             (80 C?|0?) ?? [0-4]
@@ -49,12 +49,9 @@ rule Windows_Ransomware_NailaoLoader_0 : malware {
             7? ??
         }
     condition:
-        2 of them and uint16(0) == 0x5A4D
+        2 of them and filesize < 500KB and uint16(0) == 0x5A4D
 }
 
-
-
-
 rule Windows_Ransomware_NailaoLocker_1 : malware {
     meta:
         description = "Shadowpad-associated locker ransomware's in memory strings"
@@ -68,16 +65,18 @@ rule Windows_Ransomware_NailaoLocker_1 : malware {
         samples = "2f95e360defa443d7a405ae657ebfd369da6834528d6e390a7aebe7a61592a44"
     strings:
         $str_1 = ".locked" ascii wide
-        $str_2 = "lock.log" ascii wide
-        $str_3 = "%ProgramData%\\lock.log" ascii wide
+        $str_2 = "lock.log" ascii wide 
+        $str_3 = "%ProgramData%\\lock.log" ascii wide 
         $str_4 = "W:\\" ascii wide
         $str_5 = "locked.html" ascii wide
         $str_6 = "Global\\lockv7"
+        $str_7 = "*** Excute [%s] error with code 0x%x" wide
+        $str_8 = "OK Excute [%s] OK" wide
         $asm_free_orig_dll = {
             4? B? ?? ?? 00 00 4? 8D (?4|?C) 24 ?? 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 85 (C?|D?|E?|F?) 74 ?? 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8D (?4|?C) 24 ?? FF 15 ?? ?? ?? 00 85(C?|D?|E?|F?)
         }
     condition:
-        $asm_free_orig_dll and 4 of ($str_*) and uint16(0) == 0x5A4D
+        all of them and uint16(0) == 0x5A4D
 }