/* Yara Rule Set Author: Ialle Teixeira Date: 2017-06-27 Identifier:

1. /*
2. Yara Rule Set
3. Author: Ialle Teixeira
4. Date: 2017-06-27
5. Identifier: Petya
6. */
7.  
8. /* Rule Set ----------------------------------------------------------------- */
9.  
10. rule Petya_MalwareverseBrasil {
11. meta:
12. description = "Samples encontrados dia 27/06 by Malwareverse Brasil"
13. author = "Ialle Teixeira"
14. hash1 = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
15. hash2 = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
16. hash3 = "752e5cf9e47509ce51382c88fc4d7e53b5ca44ba22a94063f95222634b362ca5"
17. hash4 = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
18.  
19. strings:
20. $x1 = "Ooops, your important files are encrypted." fullword wide
21. $x2 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1 " fullword wide
22. $x3 = "-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 " fullword wide
23. $x4 = "Send your Bitcoin wallet ID and personal installation key to e-mail " fullword wide
24. $x5 = "fsutil usn deletejournal /D %c:" fullword wide
25. $x6 = "wevtutil cl Setup & wevtutil cl System"
26.  
27. $s1 = "%s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\" " fullword wide
28. $s2 = "\\\\.\\pipe\\%ws" fullword wide
29. $s3 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d" fullword wide
30. $s4 = "u%s \\\\%s -accepteula -s " fullword wide
31. $s5 = "dllhost.dat" fullword wide
32. $s6 = "get_CurrentThread" fullword nocase wide ascii
33.  
34. condition:
35. uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 3 of them )
36. }