Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 14:45:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update yara

Browse Source
This commit is contained in:
Mar-Pic
2025-02-25 16:18:01 +01:00
committed by GitHub
parent ba48cb8a6d
commit af4e71a652
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
green_nailao/yara
+5 -6
View File
@@ -7,7 +7,7 @@ rule Windows_Ransomware_NailaoLoader_0 : malware {
os = "Windows" os = "Windows"
category = "Ransomware" category = "Ransomware"
product = "p2a, mfd" product = "p2a, mfd"
threat_name = "Windows.Ransomware.NailaoLoader" threat_name = "Windows.Ransomware.NailaoLocker"
samples = "5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035,7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3,fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4" samples = "5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035,7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3,fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4"
strings: strings:
$asm_get_str_procs = { $asm_get_str_procs = {
@@ -49,12 +49,9 @@ rule Windows_Ransomware_NailaoLoader_0 : malware {
7? ?? 7? ??
} }
condition: condition:
2 of them and uint16(0) == 0x5A4D 2 of them and filesize < 500KB and uint16(0) == 0x5A4D
} }
rule Windows_Ransomware_NailaoLocker_1 : malware { rule Windows_Ransomware_NailaoLocker_1 : malware {
meta: meta:
description = "Shadowpad-associated locker ransomware's in memory strings" description = "Shadowpad-associated locker ransomware's in memory strings"
@@ -73,11 +70,13 @@ rule Windows_Ransomware_NailaoLocker_1 : malware {
$str_4 = "W:\\" ascii wide $str_4 = "W:\\" ascii wide
$str_5 = "locked.html" ascii wide $str_5 = "locked.html" ascii wide
$str_6 = "Global\\lockv7" $str_6 = "Global\\lockv7"
$str_7 = "*** Excute [%s] error with code 0x%x" wide
$str_8 = "OK Excute [%s] OK" wide
$asm_free_orig_dll = { $asm_free_orig_dll = {
4? B? ?? ?? 00 00 4? 8D (?4|?C) 24 ?? 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 85 (C?|D?|E?|F?) 74 ?? 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8D (?4|?C) 24 ?? FF 15 ?? ?? ?? 00 85(C?|D?|E?|F?) 4? B? ?? ?? 00 00 4? 8D (?4|?C) 24 ?? 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 85 (C?|D?|E?|F?) 74 ?? 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8B (C?|D?|E?|F?) FF 15 ?? ?? ?? 00 4? 8D (?4|?C) 24 ?? FF 15 ?? ?? ?? 00 85(C?|D?|E?|F?)
} }
condition: condition:
$asm_free_orig_dll and 4 of ($str_*) and uint16(0) == 0x5A4D all of them and uint16(0) == 0x5A4D
} }