{ "type": "bundle", "id": "bundle--59188096-18dc-47dc-9a67-beaf950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:11:49.000Z", "modified": "2017-05-14T16:11:49.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--59188096-18dc-47dc-9a67-beaf950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:11:49.000Z", "modified": "2017-05-14T16:11:49.000Z", "name": "OSINT - Neo23x0 Yara Rule Set and Sigma Rule Set - WannaCry", "published": "2017-05-14T16:12:13Z", "object_refs": [ "observed-data--591880da-6e40-4077-b151-4fb5950d210f", "url--591880da-6e40-4077-b151-4fb5950d210f", "indicator--591880f6-3d78-4b59-8eec-4140950d210f", "indicator--5918811c-43b0-4cd8-9a9c-406e950d210f", "indicator--5918813c-1efc-4677-bb2b-41af950d210f", "indicator--5918814a-4e2c-4fa3-af92-4515950d210f", "indicator--59188170-6c20-446d-afeb-47cd950d210f", "indicator--5918819a-24a4-4a16-a70d-4f0e950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "misp-galaxy:ransomware=\"WannaCry\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--591880da-6e40-4077-b151-4fb5950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:07:54.000Z", "modified": "2017-05-14T16:07:54.000Z", "first_observed": "2017-05-14T16:07:54Z", "last_observed": "2017-05-14T16:07:54Z", "number_observed": 1, "object_refs": [ "url--591880da-6e40-4077-b151-4fb5950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--591880da-6e40-4077-b151-4fb5950d210f", "value": "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_wannacry.yar" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--591880f6-3d78-4b59-8eec-4140950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:08:22.000Z", "modified": "2017-05-14T16:08:22.000Z", "pattern": "[rule WannaCry_Ransomware {\r\n meta:\r\n description = \"Detects WannaCry Ransomware\"\r\n author = \"Florian Roth (with the help of binar.ly)\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"\r\n strings:\r\n $x1 = \"icacls . /grant Everyone:F /T /C /Q\" fullword ascii\r\n $x2 = \"taskdl.exe\" fullword ascii\r\n $x3 = \"tasksche.exe\" fullword ascii\r\n $x4 = \"Global\\\\MsWinZonesCacheCounterMutexA\" fullword ascii\r\n $x5 = \"WNcry@2ol7\" fullword ascii\r\n $x6 = \"www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\" ascii\r\n $x7 = \"mssecsvc.exe\" fullword ascii\r\n $x8 = \"C:\\\\%s\\\\qeriuwjhrf\" fullword ascii\r\n $x9 = \"icacls . /grant Everyone:F /T /C /Q\" fullword ascii\r\n\r\n $s1 = \"C:\\\\%s\\\\%s\" fullword ascii\r\n $s2 = \" \" fullword ascii\r\n $s3 = \"cmd.exe /c \\\"%s\\\"\" fullword ascii\r\n $s4 = \"msg/m_portuguese.wnry\" fullword ascii\r\n $s5 = \"\\\\\\\\192.168.56.20\\\\IPC$\" fullword wide\r\n $s6 = \"\\\\\\\\172.16.99.5\\\\IPC$\" fullword wide\r\n\r\n $op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }\r\n $op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }\r\n $op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or all of ($op*) )\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-05-14T16:08:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918811c-43b0-4cd8-9a9c-406e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:09:00.000Z", "modified": "2017-05-14T16:09:00.000Z", "pattern": "[rule WannaCry_Ransomware_Gen {\r\n meta:\r\n description = \"Detects WannaCry Ransomware\"\r\n author = \"Florian Roth (based on rule by US CERT)\"\r\n reference = \"https://www.us-cert.gov/ncas/alerts/TA17-132A\"\r\n date = \"2017-05-12\"\r\n hash1 = \"9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05\"\r\n hash2 = \"8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df\"\r\n hash3 = \"4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359\"\r\n strings:\r\n $s1 = \"__TREEID__PLACEHOLDER__\" fullword ascii\r\n $s2 = \"__USERID__PLACEHOLDER__\" fullword ascii\r\n $s3 = \"Windows for Workgroups 3.1a\" fullword ascii\r\n $s4 = \"PC NETWORK PROGRAM 1.0\" fullword ascii\r\n $s5 = \"LANMAN1.0\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 5000KB and all of them\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-05-14T16:09:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918813c-1efc-4677-bb2b-41af950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:09:32.000Z", "modified": "2017-05-14T16:09:32.000Z", "pattern": "[rule WannCry_m_vbs {\r\n meta:\r\n description = \"Detects WannaCry Ransomware VBS\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b\"\r\n strings:\r\n $x1 = \".TargetPath = \\\"C:\\\\@\" ascii\r\n $x2 = \".CreateShortcut(\\\"C:\\\\@\" ascii\r\n $s3 = \" = WScript.CreateObject(\\\"WScript.Shell\\\")\" ascii\r\n condition:\r\n ( uint16(0) == 0x4553 and filesize < 1KB and all of them )\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-05-14T16:09:32Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918814a-4e2c-4fa3-af92-4515950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:09:46.000Z", "modified": "2017-05-14T16:09:46.000Z", "pattern": "[rule WannCry_BAT {\r\n meta:\r\n description = \"Detects WannaCry Ransomware BATCH File\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077\"\r\n strings:\r\n $s1 = \"@.exe\\\">> m.vbs\" ascii\r\n $s2 = \"cscript.exe //nologo m.vbs\" fullword ascii\r\n $s3 = \"echo SET ow = WScript.CreateObject(\\\"WScript.Shell\\\")> \" ascii\r\n $s4 = \"echo om.Save>> m.vbs\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x6540 and filesize < 1KB and 1 of them )\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-05-14T16:09:46Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--59188170-6c20-446d-afeb-47cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:10:24.000Z", "modified": "2017-05-14T16:10:24.000Z", "pattern": "[rule WannaCry_RansomNote {\r\n meta:\r\n description = \"Detects WannaCry Ransomware Note\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e\"\r\n strings:\r\n $s1 = \"A: Don't worry about decryption.\" fullword ascii\r\n $s2 = \"Q: What's wrong with my files?\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x3a51 and filesize < 2KB and all of them )\r\n}]", "pattern_type": "yara", "pattern_version": "2.1", "valid_from": "2017-05-14T16:10:24Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"yara\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5918819a-24a4-4a16-a70d-4f0e950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2017-05-14T16:11:06.000Z", "modified": "2017-05-14T16:11:06.000Z", "pattern": "[title: WannaCry Ransomware \r\ndescription: Detects WannaCry Ransomware Activity\r\nstatus: experimental\r\nreference: \r\n - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nauthor: Florian Roth\r\nlogsource:\r\n produc%WINDIR%\\\n service: security\r\n description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation > Include command line in process creation events'\r\ndetection:\r\n selection1:\r\n # Requires group policy 'Audit Process Creation' > Include command line in process creation events\r\n EventID: 4688\r\n CommandLine:\r\n - '*vssadmin delete shadows*'\r\n - '*icacls * /grant Everyone:F /T /C /Q*'\r\n - '*bcdedit /set {default} recoveryenabled no*'\r\n - '*wbadmin delete catalog -quiet*'\r\n selection2:\r\n # Does not require group policy 'Audit Process Creation' > Include command line in process creation events\r\n EventID: 4688\r\n NewProcessName:\r\n - '*\\tasksche.exe'\r\n - '*\\mssecsvc.exe'\r\n - '*\\taskdl.exe'\r\n - '*\\WanaDecryptor*'\r\n - '*\\taskhsvc.exe'\r\n - '*\\taskse.exe'\r\n - '*\\111.exe'\r\n - '*\\lhdfrgui.exe'\r\n - '*\\diskpart.exe' # Rare, but can be false positive\r\n - '*\\linuxnew.exe'\r\n - '*\\wannacry.exe'\r\n condition: selection1 or selection2\r\nfalsepositives: \r\n - Unknown\r\nlevel: critical]", "pattern_type": "sigma", "pattern_version": "2.1", "valid_from": "2017-05-14T16:11:06Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Artifacts dropped" } ], "labels": [ "misp:type=\"sigma\"", "misp:category=\"Artifacts dropped\"", "misp:to_ids=\"True\"" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }