SHARE
TWEET

Updated YARA for WannaCryptor, 3 Specific 1 Generic

a guest May 13th, 2017 1,279 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around.
  3. If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant!
  4.  
  5. Check out http://yara.readthedocs.io on how to write and add a rule as below and index your
  6. rule by the sample hashes.  Add, share, rinse and repeat!
  7. */
  8.  
  9. rule WannaDecryptor: WannaDecryptor
  10. {
  11.         meta:
  12.                 description = "Detection for common strings of WannaDecryptor"
  13.  
  14.         strings:
  15.                 $id1 = "taskdl.exe"
  16.                 $id2 = "taskse.exe"
  17.                 $id3 = "r.wnry"
  18.                 $id4 = "s.wnry"
  19.                 $id5 = "t.wnry"
  20.                 $id6 = "u.wnry"
  21.                 $id7 = "msg/m_"
  22.  
  23.         condition:
  24.                 3 of them
  25. }
  26. rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549
  27. {
  28.         meta:
  29.                 description = "Specific sample match for WannaCryptor"
  30.                 MD5 = "84c82835a5d21bbcf75a61706d8ab549"
  31.                 SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
  32.                 SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
  33.                 INFO = "Looks for 'taskdl' and 'taskse' at known offsets"
  34.  
  35.         strings:
  36.                 $taskdl = { 00 74 61 73 6b 64 6c }
  37.                 $taskse = { 00 74 61 73 6b 73 65 }
  38.  
  39.         condition:
  40.                 $taskdl at 3419456 and $taskse at 3422953
  41. }
  42. rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904
  43. {
  44.         meta:
  45.                 description = "Specific sample match for WannaCryptor"
  46.                 MD5 = "4da1f312a214c07143abeeafb695d904"
  47.                 SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"
  48.                 SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c"
  49.                 INFO = "Looks for offsets of r.wry and s.wry instances"
  50.  
  51.         strings:
  52.                 $rwnry = { 72 2e 77 72 79 }
  53.                 $swnry = { 73 2e 77 72 79 }
  54.  
  55.         condition:
  56.                 $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639
  57. }
  58. rule NHS_Strain_Wanna: NHS_Strain_Wanna
  59. {
  60.         meta:
  61.                 description = "Detection for worm-strain bundle of Wcry, DOublePulsar"
  62.                 MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"
  63.                 SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26"
  64.                 SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
  65.                 INFO = "Looks for specific offsets of c.wnry and t.wnry strings"
  66.  
  67.         strings:
  68.                 $cwnry = { 63 2e 77 6e 72 79 }
  69.                 $twnry = { 74 2e 77 6e 72 79 }
  70.  
  71.         condition:
  72.                 $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970
  73. }
RAW Paste Data
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top