dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
Two rules to cover the Hunters International ransom note; one which includes the associated .onion addresses…
rule MAL_HuntersInternational_ransomnote {
meta:
description = "Matches strings found in Hunters International ransom notes."
last_modified = "2024-03-31"
author = "@petermstewart"
DaysofYara = "91/100"
strings:
$a1 = "_ _ _ _ _ _ _____ _____ ____ ____"
$a2 = "| | | | | | | \\ | |_ _| ____| _ \\/ ___|"
$a3 = "| 
| | | | \\| | | | | _| | |_) \\___ \\"
$a4 = "| _ | | |\\ | | | | |___| _ < ___) |"
$a5 = "|_|_|_|\\___/|_|_\\_|_|_|_|_____|_|_\\_\\____/____ ___ ___ _ _ _ _"
$a6 = "|_ _| \\ | |_ _| ____| _ \\| \\ | | / \\|_ _|_ _/ _ \\| \\ | | / \\ | |"
$a7 = "| || \\| | | | | _| | |_) | \\| | / _ \\ | | | | | | | \\| | / _ \\ | |"
$a8 = "| || |\\ | | | | |___| _ <| |\\ |/ ___ \\| | | | | |\\ |/ ___ \\| |___"
$a9 = "|___|_| \\_| |_____|_| \\_\\_| \\_/_/ \\_\\_| |___\\___/|_| \\_/_/ \\_\\_____|"
$b1 = "hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion"
$b2 = "hunters33dootzzwybhxyh6xnmumopeoza6u4hkontdqu7awnhmix7ad.onion"
$b3 = "hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion"
$b4 = "hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion"
condition:
filesize < 5KB and
all of ($a*) and
1 of ($b*)
}
…and a second to match the ASCII art logo.
rule HUNT_HuntersInternational_ascii_art {
meta:
description = "Matches ascii art found in Hunters International ransomware notes."
last_modified = "2024-03-31"
author = "@petermstewart"
DaysofYara = "91/100"
strings:
$a1 = "_ _ _ _ _ _ _____ _____ ____ ____"
$a2 = "| | | | | | | \\ | |_ _| ____| _ \\/ ___|"
$a3 = "| | | | | \\| | | | | _| | |_) \\___ \\"
$a4 = "| _ | | |\\ | | | | |___| _ < ___) |"
$a5 = "|_|_|_|\\___/|_|_\\_|_|_|_|_____|_|_\\_\\____/____ ___ ___ _ _ _ _"
$a6 = "|_ _| \\ | |_ _| ____| _ \\| \\ | | / \\|_ _|_ _/ _ \\| \\ | | / \\ | |"
$a7 = "| || \\| | | | | _| | |_) | \\| | / _ \\ | | | | | | | \\| | / _ \\ | |"
$a8 = "| || |\\ | | | | |___| _ <| |\\ |/ ___ \\| | | | | |\\ |/ ___ \\| |___"
$a9 = "|___|_| \\_| |_____|_| \\_\\_| \\_/_/ \\_\\_| |___\\___/|_| \\_/_/ \\_\\_____|"
condition:
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
The Hunters International ransomware was first observed in late 2023 and has been reported to be a rebrand of Hive following a disruption operation in January 2023. This rule matches strings found in a Windows Hunters International sample.
rule MAL_HuntersInternational_strings {
meta:
description = "Matches strings found in Hunters International ransomware samples."
last_modified = "2024-03-30"
author = "@petermstewart"
DaysofYara = "90/100"
sha256 = "c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e"
strings:
$a1 = "windows_encrypt/src/main.rs"
$a2 = "skipped, reserve dir"
$a3 = "skipped, min size:"
$a4 = "skipped, symlink:"
$a5 = "skipped, reserved file:"
$a6 = "skipped, reserved extension:"
$a7 = "got, dir:"
$a8 = "encrypting"
condition:
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 