Tag: lckmac

#100DaysofYARA 2024 – Day 101 – My Complete Ruleset

That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.

Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.

I hope it’s helpful!

#100DaysofYARA 2024 – Day 76 – “lckmac” Ransomware

Today’s rule matches function names found in a suspected macOS ransomware binary uploaded to VirusTotal as lckmac.

rule MAL_Lckmac_strings {
    meta:
        description = "Matches function name strings found in MachO ransomware sample uploaded to VirusTotal with filename 'lckmac'."
        last_modified = "2024-03-16"
        author = "@petermstewart"
        DaysofYara = "76/100"
        sha256 = "e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac"
        ref = "https://x.com/malwrhunterteam/status/1745144586727526500"

    strings:
        $a1 = "main.parsePublicKey"
        $a2 = "main.writeKeyToFile"
        $a3 = "main.getSystemInfo"
        $a4 = "main.EncryptTargetedFiles"
        $a5 = "main.shouldEncryptFile"
        $a6 = "main.encryptFile"
        $a7 = "main.deleteSelf"

    condition:
        (uint32(0) == 0xfeedface or   //MH_MAGIC
        uint32(0) == 0xcefaedfe or    //MH_CIGAM
        uint32(0) == 0xfeedfacf or    //MH_MAGIC_64
        uint32(0) == 0xcffaedfe or    //MH_CIGAM_64
        uint32(0) == 0xcafebabe or    //FAT_MAGIC
        uint32(0) == 0xbebafeca) and  //FAT_CIGAM
        all of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.