The Yanluowang ransomware was first observed in late 2021, and has been reported to utilise code-signing on their binaries. This rule relies on PDB path and usage strings found in Windows samples.
rule MAL_Yanluowang_strings {
meta:
description = "Matches function name strings found in Yanluowang ransomware samples."
last_modified = "2024-03-26"
author = "@petermstewart"
DaysofYara = "86/100"
sha256 = "49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d"
sha256 = "d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c"
strings:
$a1 = "C:\\Users\\111\\Desktop\\wifi\\project\\ConsoleApplication2\\Release\\ConsoleApplication2.pdb"
$a2 = "C:\\Users\\cake\\Desktop\\project-main\\project-main\\ConsoleApplication2\\cryptopp-master"
$a3 = "Syntax: encrypt.exe [(-p,-path,--path)<path>]"
$a4 = "yanluowang"
condition:
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 