110 lines
No EOL
8.6 KiB
JSON
110 lines
No EOL
8.6 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-05-14",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Neo23x0 Yara Rule Set and Sigma Rule Set - WannaCry",
|
|
"publish_timestamp": "1494778333",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1494778309",
|
|
"uuid": "59188096-18dc-47dc-9a67-beaf950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:ransomware=\"WannaCry\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778074",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "591880da-6e40-4077-b151-4fb5950d210f",
|
|
"value": "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_wannacry.yar"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778102",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "591880f6-3d78-4b59-8eec-4140950d210f",
|
|
"value": "rule WannaCry_Ransomware {\r\n meta:\r\n description = \"Detects WannaCry Ransomware\"\r\n author = \"Florian Roth (with the help of binar.ly)\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"\r\n strings:\r\n $x1 = \"icacls . /grant Everyone:F /T /C /Q\" fullword ascii\r\n $x2 = \"taskdl.exe\" fullword ascii\r\n $x3 = \"tasksche.exe\" fullword ascii\r\n $x4 = \"Global\\\\MsWinZonesCacheCounterMutexA\" fullword ascii\r\n $x5 = \"WNcry@2ol7\" fullword ascii\r\n $x6 = \"www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\" ascii\r\n $x7 = \"mssecsvc.exe\" fullword ascii\r\n $x8 = \"C:\\\\%s\\\\qeriuwjhrf\" fullword ascii\r\n $x9 = \"icacls . /grant Everyone:F /T /C /Q\" fullword ascii\r\n\r\n $s1 = \"C:\\\\%s\\\\%s\" fullword ascii\r\n $s2 = \"<!-- Windows 10 --> \" fullword ascii\r\n $s3 = \"cmd.exe /c \\\"%s\\\"\" fullword ascii\r\n $s4 = \"msg/m_portuguese.wnry\" fullword ascii\r\n $s5 = \"\\\\\\\\192.168.56.20\\\\IPC$\" fullword wide\r\n $s6 = \"\\\\\\\\172.16.99.5\\\\IPC$\" fullword wide\r\n\r\n $op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }\r\n $op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }\r\n $op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or all of ($op*) )\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778140",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5918811c-43b0-4cd8-9a9c-406e950d210f",
|
|
"value": "rule WannaCry_Ransomware_Gen {\r\n meta:\r\n description = \"Detects WannaCry Ransomware\"\r\n author = \"Florian Roth (based on rule by US CERT)\"\r\n reference = \"https://www.us-cert.gov/ncas/alerts/TA17-132A\"\r\n date = \"2017-05-12\"\r\n hash1 = \"9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05\"\r\n hash2 = \"8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df\"\r\n hash3 = \"4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359\"\r\n strings:\r\n $s1 = \"__TREEID__PLACEHOLDER__\" fullword ascii\r\n $s2 = \"__USERID__PLACEHOLDER__\" fullword ascii\r\n $s3 = \"Windows for Workgroups 3.1a\" fullword ascii\r\n $s4 = \"PC NETWORK PROGRAM 1.0\" fullword ascii\r\n $s5 = \"LANMAN1.0\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize < 5000KB and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778172",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5918813c-1efc-4677-bb2b-41af950d210f",
|
|
"value": "rule WannCry_m_vbs {\r\n meta:\r\n description = \"Detects WannaCry Ransomware VBS\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b\"\r\n strings:\r\n $x1 = \".TargetPath = \\\"C:\\\\@\" ascii\r\n $x2 = \".CreateShortcut(\\\"C:\\\\@\" ascii\r\n $s3 = \" = WScript.CreateObject(\\\"WScript.Shell\\\")\" ascii\r\n condition:\r\n ( uint16(0) == 0x4553 and filesize < 1KB and all of them )\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778186",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5918814a-4e2c-4fa3-af92-4515950d210f",
|
|
"value": "rule WannCry_BAT {\r\n meta:\r\n description = \"Detects WannaCry Ransomware BATCH File\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077\"\r\n strings:\r\n $s1 = \"@.exe\\\">> m.vbs\" ascii\r\n $s2 = \"cscript.exe //nologo m.vbs\" fullword ascii\r\n $s3 = \"echo SET ow = WScript.CreateObject(\\\"WScript.Shell\\\")> \" ascii\r\n $s4 = \"echo om.Save>> m.vbs\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x6540 and filesize < 1KB and 1 of them )\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778224",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "59188170-6c20-446d-afeb-47cd950d210f",
|
|
"value": "rule WannaCry_RansomNote {\r\n meta:\r\n description = \"Detects WannaCry Ransomware Note\"\r\n author = \"Florian Roth\"\r\n reference = \"https://goo.gl/HG2j5T\"\r\n date = \"2017-05-12\"\r\n hash1 = \"4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e\"\r\n strings:\r\n $s1 = \"A: Don't worry about decryption.\" fullword ascii\r\n $s2 = \"Q: What's wrong with my files?\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x3a51 and filesize < 2KB and all of them )\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1494778266",
|
|
"to_ids": true,
|
|
"type": "sigma",
|
|
"uuid": "5918819a-24a4-4a16-a70d-4f0e950d210f",
|
|
"value": "title: WannaCry Ransomware \r\ndescription: Detects WannaCry Ransomware Activity\r\nstatus: experimental\r\nreference: \r\n - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nauthor: Florian Roth\r\nlogsource:\r\n produc%WINDIR%\\\n service: security\r\n description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\\System\\Audit Process Creation > Include command line in process creation events'\r\ndetection:\r\n selection1:\r\n # Requires group policy 'Audit Process Creation' > Include command line in process creation events\r\n EventID: 4688\r\n CommandLine:\r\n - '*vssadmin delete shadows*'\r\n - '*icacls * /grant Everyone:F /T /C /Q*'\r\n - '*bcdedit /set {default} recoveryenabled no*'\r\n - '*wbadmin delete catalog -quiet*'\r\n selection2:\r\n # Does not require group policy 'Audit Process Creation' > Include command line in process creation events\r\n EventID: 4688\r\n NewProcessName:\r\n - '*\\tasksche.exe'\r\n - '*\\mssecsvc.exe'\r\n - '*\\taskdl.exe'\r\n - '*\\WanaDecryptor*'\r\n - '*\\taskhsvc.exe'\r\n - '*\\taskse.exe'\r\n - '*\\111.exe'\r\n - '*\\lhdfrgui.exe'\r\n - '*\\diskpart.exe' # Rare, but can be false positive\r\n - '*\\linuxnew.exe'\r\n - '*\\wannacry.exe'\r\n condition: selection1 or selection2\r\nfalsepositives: \r\n - Unknown\r\nlevel: critical"
|
|
}
|
|
]
|
|
}
|
|
} |