2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "1" ,
"date" : "2017-05-12" ,
"extends_uuid" : "" ,
"info" : "Ransomware spreading through SMB attacking multiple companies" ,
"publish_timestamp" : "1602320841" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1588338617" ,
"uuid" : "5915b22e-c3e8-4f13-9449-7f3fc0a80a8e" ,
"Orgc" : {
"name" : "INCIBE" ,
"uuid" : "56fa4fe4-f528-4480-8332-1ba3c0a80a8c"
} ,
"Tag" : [
{
"colour" : "#2c4f00" ,
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#3f7f00" ,
"local" : "0" ,
"name" : "circl:incident-classification=\"vulnerability\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:ransomware=\"WannaCry\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00fff3" ,
"local" : "0" ,
"name" : "Trj=Doublepulsar" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:tool=\"ETERNALBLUE\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ef1515" ,
"local" : "0" ,
"name" : "Symantec" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1588084147" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e" ,
"value" : "https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1588084139" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5915b3e4-5928-485f-9795-565fc0a80a8e" ,
"value" : "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494634206" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5915b926-baf4-4bc1-b930-7f3ec0a80a8e" ,
"value" : "Performs connections to tor network"
} ,
{
"category" : "Payload delivery" ,
"comment" : "taskdl.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013291" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5915b282-0bb4-4057-ab3a-7ed3c0a80a8e" ,
"value" : "4fef5e34143e646dbf9907c4374276f5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "taskse.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013287" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5915b30b-6f00-433e-9c26-7f3fc0a80a8e" ,
"value" : "8495400f199ac77853c53b5a3f278f3e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "taskdl.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1588338617" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5915b282-b5a4-448f-ba81-7ed3c0a80a8e" ,
"value" : "47a9ad4125b6bd7c55e4e7da251e23f089407b8f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "taskse.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013306" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5915b30b-b388-4106-b603-7f3fc0a80a8e" ,
"value" : "be5d6279874da315e3080b06083757aad9b32c23"
} ,
{
"category" : "Payload delivery" ,
"comment" : "taskdl.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013314" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5915b282-27a8-4aa2-b550-7ed3c0a80a8e" ,
"value" : "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
} ,
{
"category" : "Payload delivery" ,
"comment" : "wannacry.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013318" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5915b2f7-7298-4fa9-af0b-557ec0a80a8e" ,
"value" : "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
} ,
{
"category" : "Payload delivery" ,
"comment" : "taskse.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013321" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5915b30c-5670-438a-81ad-7f3fc0a80a8e" ,
"value" : "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "u.wnry" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013326" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5915b33e-bf0c-49c0-bdf9-5582c0a80a8e" ,
"value" : "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "https://twitter.com/gN3mes1s/status/863149075159543808" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494633160" ,
"to_ids" : true ,
"type" : "mutex" ,
"uuid" : "59164ac8-180c-419c-bf20-0387c0a80a8e" ,
"value" : "MsWinZonesCacheCounterMutexA"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1588084145" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59164b00-ea34-4a56-b2e3-7f3ec0a80a8e" ,
"value" : "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013257" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59164b98-41d4-4fa5-85d4-7f3fc0a80a8e" ,
"value" : "gx7ekbenv2riucmf.onion"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013260" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59164b98-4350-4c3e-a5a2-7f3fc0a80a8e" ,
"value" : "57g7spgrzlojinas.onion"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013265" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59164b99-5768-454a-b81b-7f3fc0a80a8e" ,
"value" : "xxlvbrloxvriy2c5.onion"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013269" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59164b99-d354-4572-8500-7f3fc0a80a8e" ,
"value" : "76jdd2ir2embyv47.onion"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013272" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59164b99-d7f0-4703-87c8-7f3fc0a80a8e" ,
"value" : "cwwnhwhlz52maqm7.onion"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713981" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867d-0130-4055-b361-43f4c0a80a8e" ,
"value" : "176641494574290.bat"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713981" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867d-caf8-4e4c-8b5d-43f4c0a80a8e" ,
"value" : "@Please_Read_Me@.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713981" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867d-1fac-4084-bb8b-43f4c0a80a8e" ,
"value" : "@WanaDecryptor@.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713981" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867d-ad24-4b97-a77a-43f4c0a80a8e" ,
"value" : "@WanaDecryptor@.exe.lnk"
} ,
{
"category" : "Payload delivery" ,
"comment" : "(Older variant) - https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713981" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867d-8cb8-4905-93f0-43f4c0a80a8e" ,
"value" : "Please Read Me!.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013277" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-db5c-4ca5-8aa8-43f4c0a80a8e" ,
"value" : "%WINDIR%\\tasksche.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-b8b4-456a-9098-43f4c0a80a8e" ,
"value" : "%WINDIR%\\qeriuwjhrf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-9c90-4715-ae88-43f4c0a80a8e" ,
"value" : "131181494299235.bat"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-4b3c-47f8-978a-43f4c0a80a8e" ,
"value" : "217201494590800.bat"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5917867e-bf70-410e-a68c-43f4c0a80a8e" ,
"value" : "[0-9]{15}.bat"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-6ebc-425a-beae-43f4c0a80a8e" ,
"value" : "!WannaDecryptor!.exe.lnk"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-6488-42f1-abb6-43f4c0a80a8e" ,
"value" : "00000000.pky"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-8648-438d-9087-43f4c0a80a8e" ,
"value" : "00000000.eky"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-ad3c-48eb-afa9-43f4c0a80a8e" ,
"value" : "00000000.res"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713982" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5917867e-72fc-4114-b3f2-43f4c0a80a8e" ,
"value" : "%WINDIR%\\system32\\taskdl.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713981" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5917867d-791c-4fd8-a73e-43f4c0a80a8e" ,
"value" : "fefe6b30d0819f1a1775e14730a10e0e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713767" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-9470-43b7-acbe-43f2c0a80a8e" ,
"value" : "85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713767" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-f5a4-4f64-bfb0-43f2c0a80a8e" ,
"value" : "3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713742" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917858e-99d8-458d-96cb-43f2c0a80a8e" ,
"value" : "dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713743" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917858f-5e10-4534-b16f-43f2c0a80a8e" ,
"value" : "201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013334" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917858f-9c64-47de-8999-43f2c0a80a8e" ,
"value" : "c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013331" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917858f-c9d4-4db1-9950-43f2c0a80a8e" ,
"value" : "09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713743" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917858f-e220-4492-a1e2-43f2c0a80a8e" ,
"value" : "aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713744" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-2db8-432a-8ca9-43f2c0a80a8e" ,
"value" : "21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713744" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-10a8-4cc1-927b-43f2c0a80a8e" ,
"value" : "2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013339" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-80e0-4c92-a255-43f2c0a80a8e" ,
"value" : "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013343" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-b68c-4f8c-8b10-43f2c0a80a8e" ,
"value" : "f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013346" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-2638-4f4e-b40e-43f2c0a80a8e" ,
"value" : "4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013349" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-f04c-46b6-97db-43f2c0a80a8e" ,
"value" : "9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013352" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-7ea0-4bfa-abb8-43f2c0a80a8e" ,
"value" : "78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013354" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59178590-8f04-4e97-80dd-43f2c0a80a8e" ,
"value" : "be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713758" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-0ed0-4445-be26-43f2c0a80a8e" ,
"value" : "5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713758" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-0268-488a-afa9-43f2c0a80a8e" ,
"value" : "76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713758" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-f96c-4d4b-b388-43f2c0a80a8e" ,
"value" : "fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013363" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-21c8-4d66-92c2-43f2c0a80a8e" ,
"value" : "eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713758" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-3e7c-4c80-ae7b-43f2c0a80a8e" ,
"value" : "043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013365" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-5aa8-455e-8ebc-43f2c0a80a8e" ,
"value" : "57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013368" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5917859e-96a0-47c6-8a1b-43f2c0a80a8e" ,
"value" : "ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713767" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-0430-4db2-9490-43f2c0a80a8e" ,
"value" : "f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713767" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-da0c-494e-b6da-43f2c0a80a8e" ,
"value" : "3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713767" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-9514-44a9-8dbb-43f2c0a80a8e" ,
"value" : "9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497013372" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-ed1c-4e2b-945d-43f2c0a80a8e" ,
"value" : "5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec"
} ,
{
"category" : "Payload delivery" ,
"comment" : "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494713767" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "591785a7-22a8-42e2-be59-43f2c0a80a8e" ,
"value" : "12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "https://github.com/felmoltor/rules/blob/master/malware/malw_ms17-010_wannacrypt.yar" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494766382" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5918532e-a4a0-4e26-b64e-32f8c0a80a8e" ,
"value" : "/*\r\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\r\n\r\n*/\r\n\r\nimport \"pe\"\r\n\r\nrule MS17_010_WanaCry_worm {\r\n\tmeta:\r\n\t\tdescription = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n\t\tauthor = \"Felipe Molina (@felmoltor)\"\r\n\t\treference = \"https://www.exploit-db.com/exploits/41987/\"\r\n\t\tdate = \"2017/05/12\"\r\n\tstrings:\r\n\t\t$ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n\t\t$ms17010_str2=\"LANMAN1.0\"\r\n\t\t$ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n\t\t$ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n\t\t$ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n\t\t$wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n\t\t$wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n\t\t$wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}"
} ,
{
"category" : "Network activity" ,
"comment" : "Killswitch domain. Direct access must be allowed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495030955" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "591854fd-1594-4719-9c4d-32fac0a80a8e" ,
"value" : "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Killswitch domain. Direct access must be allowed. https://twitter.com/msuiche/status/863730377642442752" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495030911" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "591854fe-ad74-44ca-a8e1-32fac0a80a8e" ,
"value" : "www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494767166" ,
"to_ids" : true ,
"type" : "regkey|value" ,
"uuid" : "5918563e-ba80-4fb7-a058-32fbc0a80a8e" ,
"value" : "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\|\\tasksche.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ifferfsod\u00c3\u00a2\u00e2\u201a\u00ac\u00c2\u00a6 variant" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494790951" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5918b327-f48c-44b9-8dc7-32fac0a80a8e" ,
"value" : "32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Worm-only variant detected by Kaspersky (encryptor is broken) - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494791292" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5918b47c-1e74-46be-b9a8-32f8c0a80a8e" ,
"value" : "07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Stage2 dropped by worm-only variant - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494793034" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5918bb4a-68a8-4ddc-a39d-5dccc0a80a8e" ,
"value" : "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
} ,
{
"category" : "Payload delivery" ,
"comment" : "diskpart.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1494844950" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59198616-f304-4e1a-9bab-3a1dc0a80a8e" ,
"value" : "55454390f7be33ab5c11b5e0683800dd9a892ce136f1962b0989526fff5592d5"
} ,
{
"category" : "Network activity" ,
"comment" : "Killswitch domain. Direct access must be allowed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495030793" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "591c5c09-ffd8-410e-9347-30b5c0a80a8e" ,
"value" : "www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Killswitch domain. Direct access must be allowed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495030793" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "591c5c09-71b4-486b-99ca-30b5c0a80a8e" ,
"value" : "www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Killswitch domain. Direct access must be allowed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495030794" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "591c5c0a-d954-4b78-b7fe-30b5c0a80a8e" ,
"value" : "www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Killswitch domain. Direct access must be allowed" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1495034940" ,
"to_ids" : false ,
"type" : "hostname" ,
"uuid" : "591c6c3c-d80c-4ccc-8138-30b6c0a80a8e" ,
"value" : "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule Wanna_Cry_Ransomware_Generic" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332752" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49aed0-fff8-43b4-9172-0ad30a646538" ,
"value" : "rule Wanna_Cry_Ransomware_Generic {\r\n meta:\r\n description = \"Detects WannaCry Ransomware on disk and in virtual page\"\r\n author = \"US-CERT Code Analysis Team\"\r\n reference = \"not set\" \r\n date = \"2017/05/12\"\r\n hash0 = \"4DA1F312A214C07143ABEEAFB695D904\"\r\n \r\n strings:\r\n $s0 = {410044004D0049004E0024}\r\n $s1 = \"WannaDecryptor\"\r\n $s2 = \"WANNACRY\"\r\n $s3 = \"Microsoft Enhanced RSA and AES Cryptographic\"\r\n $s4 = \"PKS\"\r\n $s5 = \"StartTask\"\r\n $s6 = \"wcry@123\"\r\n $s7 = {2F6600002F72}\r\n $s8 = \"unzip 0.15 Copyrigh\"\r\n\r\n condition:\r\n $s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule MS17_010_WanaCry_worm" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332767" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49aedf-b310-40b5-ba84-0ac40a646538" ,
"value" : "rule MS17_010_WanaCry_worm {\r\n meta:\r\n description = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n author = \"Felipe Molina (@felmoltor)\"\r\n reference = \"https://www.exploit-db.com/exploits/41987/\"\r\n date = \"2017/05/12\"\r\n\r\n strings:\r\n $ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n $ms17010_str2=\"LANMAN1.0\"\r\n $ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n $ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n $ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n $wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n $wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n $wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n\r\n condition:\r\n all of them\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule wannacry_1 : ransom" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332785" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49aef1-9c60-4202-8c5a-0b040a646538" ,
"value" : "rule wannacry_1 : ransom\r\n{\r\n meta:\r\n author = \"Joshua Cannell\"\r\n description = \"WannaCry Ransomware strings\"\r\n weight = 100\r\n date = \"2017-05-12\"\r\n \r\n strings:\r\n $s1 = \"Ooops, your files have been encrypted!\" wide ascii nocase\r\n $s2 = \"Wanna Decryptor\" wide ascii nocase\r\n $s3 = \".wcry\" wide ascii nocase\r\n $s4 = \"WANNACRY\" wide ascii nocase\r\n $s5 = \"WANACRY!\" wide ascii nocase\r\n $s7 = \"icacls . /grant Everyone:F /T /C /Q\" wide ascii nocase\r\n \r\n condition:\r\n any of them\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule wannacry_2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332806" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49af06-a53c-496e-83a1-0a740a646538" ,
"value" : "rule wannacry_2\r\n{\r\n meta:\r\n author = \"Harold Ogden\"\r\n description = \"WannaCry Ransomware Strings\"\r\n date = \"2017-05-12\"\r\n weight = 100\r\n\r\n strings:\r\n $string1 = \"msg/m_bulgarian.wnry\"\r\n $string2 = \"msg/m_chinese (simplified).wnry\"\r\n $string3 = \"msg/m_chinese (traditional).wnry\"\r\n $string4 = \"msg/m_croatian.wnry\"\r\n $string5 = \"msg/m_czech.wnry\"\r\n $string6 = \"msg/m_danish.wnry\"\r\n $string7 = \"msg/m_dutch.wnry\"\r\n $string8 = \"msg/m_english.wnry\"\r\n $string9 = \"msg/m_filipino.wnry\"\r\n $string10 = \"msg/m_finnish.wnry\"\r\n $string11 = \"msg/m_french.wnry\"\r\n $string12 = \"msg/m_german.wnry\"\r\n $string13 = \"msg/m_greek.wnry\"\r\n $string14 = \"msg/m_indonesian.wnry\"\r\n $string15 = \"msg/m_italian.wnry\"\r\n $string16 = \"msg/m_japanese.wnry\"\r\n $string17 = \"msg/m_korean.wnry\"\r\n $string18 = \"msg/m_latvian.wnry\"\r\n $string19 = \"msg/m_norwegian.wnry\"\r\n $string20 = \"msg/m_polish.wnry\"\r\n $string21 = \"msg/m_portuguese.wnry\"\r\n $string22 = \"msg/m_romanian.wnry\"\r\n $string23 = \"msg/m_russian.wnry\"\r\n $string24 = \"msg/m_slovak.wnry\"\r\n $string25 = \"msg/m_spanish.wnry\"\r\n $string26 = \"msg/m_swedish.wnry\"\r\n $string27 = \"msg/m_turkish.wnry\"\r\n $string28 = \"msg/m_vietnamese.wnry\"\r\n\r\n condition:\r\n any of ($string*)\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule WannaDecryptor: WannaDecryptor" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332825" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49af19-a7c0-4985-8408-0b040a646538" ,
"value" : "rule WannaDecryptor: WannaDecryptor\r\n{\r\n meta:\r\n description = \"Detection for common strings of WannaDecryptor\"\r\n\r\n strings:\r\n $id1 = \"taskdl.exe\"\r\n $id2 = \"taskse.exe\"\r\n $id3 = \"r.wnry\"\r\n $id4 = \"s.wnry\"\r\n $id5 = \"t.wnry\"\r\n $id6 = \"u.wnry\"\r\n $id7 = \"msg/m_\"\r\n\r\n condition:\r\n 3 of them\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332846" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49af2e-4268-4f6c-8e7e-0a740a646538" ,
"value" : "rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549\r\n{\r\n meta:\r\n description = \"Specific sample match for WannaCryptor\"\r\n MD5 = \"84c82835a5d21bbcf75a61706d8ab549\"\r\n SHA1 = \"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\"\r\n SHA256 = \"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"\r\n INFO = \"Looks for 'taskdl' and 'taskse' at known offsets\"\r\n\r\n strings:\r\n $taskdl = { 00 74 61 73 6b 64 6c }\r\n $taskse = { 00 74 61 73 6b 73 65 }\r\n\r\n condition:\r\n $taskdl at 3419456 and $taskse at 3422953\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332862" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49af3e-6cec-4a29-ac04-0a730a646538" ,
"value" : "rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904\r\n{\r\n meta:\r\n description = \"Specific sample match for WannaCryptor\"\r\n MD5 = \"4da1f312a214c07143abeeafb695d904\"\r\n SHA1 = \"b629f072c9241fd2451f1cbca2290197e72a8f5e\"\r\n SHA256 = \"aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c\"\r\n INFO = \"Looks for offsets of r.wry and s.wry instances\"\r\n\r\n strings:\r\n $rwnry = { 72 2e 77 72 79 }\r\n $swnry = { 73 2e 77 72 79 }\r\n\r\n condition:\r\n $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639\r\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "Yara rule NHS_Strain_Wanna: NHS_Strain_Wanna" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332878" ,
"to_ids" : false ,
"type" : "yara" ,
"uuid" : "5c49af4e-4038-4f74-ba91-0aec0a646538" ,
"value" : "rule NHS_Strain_Wanna: NHS_Strain_Wanna\r\n{\r\n meta:\r\n description = \"Detection for worm-strain bundle of Wcry, DOublePulsar\"\r\n MD5 = \"db349b97c37d22f5ea1d1841e3c89eb4\"\r\n SHA1 = \"e889544aff85ffaf8b0d0da705105dee7c97fe26\"\r\n SHA256 = \"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"\r\n INFO = \"Looks for specific offsets of c.wnry and t.wnry strings\"\r\n\r\n strings:\r\n $cwnry = { 63 2e 77 6e 72 79 }\r\n $twnry = { 74 2e 77 6e 72 79 }\r\n\r\n condition:\r\n $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970\r\n}"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}