dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
Two rules to cover the Hunters International ransom note; one which includes the associated .onion addresses…
rule MAL_HuntersInternational_ransomnote {
meta:
description = "Matches strings found in Hunters International ransom notes."
last_modified = "2024-03-31"
author = "@petermstewart"
DaysofYara = "91/100"
strings:
$a1 = "_ _ _ _ _ _ _____ _____ ____ ____"
$a2 = "| | | | | | | \\ | |_ _| ____| _ \\/ ___|"
$a3 = "| 
| | | | \\| | | | | _| | |_) \\___ \\"
$a4 = "| _ | | |\\ | | | | |___| _ < ___) |"
$a5 = "|_|_|_|\\___/|_|_\\_|_|_|_|_____|_|_\\_\\____/____ ___ ___ _ _ _ _"
$a6 = "|_ _| \\ | |_ _| ____| _ \\| \\ | | / \\|_ _|_ _/ _ \\| \\ | | / \\ | |"
$a7 = "| || \\| | | | | _| | |_) | \\| | / _ \\ | | | | | | | \\| | / _ \\ | |"
$a8 = "| || |\\ | | | | |___| _ <| |\\ |/ ___ \\| | | | | |\\ |/ ___ \\| |___"
$a9 = "|___|_| \\_| |_____|_| \\_\\_| \\_/_/ \\_\\_| |___\\___/|_| \\_/_/ \\_\\_____|"
$b1 = "hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion"
$b2 = "hunters33dootzzwybhxyh6xnmumopeoza6u4hkontdqu7awnhmix7ad.onion"
$b3 = "hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion"
$b4 = "hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion"
condition:
filesize < 5KB and
all of ($a*) and
1 of ($b*)
}
…and a second to match the ASCII art logo.
rule HUNT_HuntersInternational_ascii_art {
meta:
description = "Matches ascii art found in Hunters International ransomware notes."
last_modified = "2024-03-31"
author = "@petermstewart"
DaysofYara = "91/100"
strings:
$a1 = "_ _ _ _ _ _ _____ _____ ____ ____"
$a2 = "| | | | | | | \\ | |_ _| ____| _ \\/ ___|"
$a3 = "| | | | | \\| | | | | _| | |_) \\___ \\"
$a4 = "| _ | | |\\ | | | | |___| _ < ___) |"
$a5 = "|_|_|_|\\___/|_|_\\_|_|_|_|_____|_|_\\_\\____/____ ___ ___ _ _ _ _"
$a6 = "|_ _| \\ | |_ _| ____| _ \\| \\ | | / \\|_ _|_ _/ _ \\| \\ | | / \\ | |"
$a7 = "| || \\| | | | | _| | |_) | \\| | / _ \\ | | | | | | | \\| | / _ \\ | |"
$a8 = "| || |\\ | | | | |___| _ <| |\\ |/ ___ \\| | | | | |\\ |/ ___ \\| |___"
$a9 = "|___|_| \\_| |_____|_| \\_\\_| \\_/_/ \\_\\_| |___\\___/|_| \\_/_/ \\_\\_____|"
condition:
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
The Hunters International ransomware was first observed in late 2023 and has been reported to be a rebrand of Hive following a disruption operation in January 2023. This rule matches strings found in a Windows Hunters International sample.
rule MAL_HuntersInternational_strings {
meta:
description = "Matches strings found in Hunters International ransomware samples."
last_modified = "2024-03-30"
author = "@petermstewart"
DaysofYara = "90/100"
sha256 = "c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e"
strings:
$a1 = "windows_encrypt/src/main.rs"
$a2 = "skipped, reserve dir"
$a3 = "skipped, min size:"
$a4 = "skipped, symlink:"
$a5 = "skipped, reserved file:"
$a6 = "skipped, reserved extension:"
$a7 = "got, dir:"
$a8 = "encrypting"
condition:
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Today’s rule matches strings in the Trigona ransom note:
rule MAL_Trigona_ransomnote {
meta:
description = "Matches strings found in Trigona ransom notes."
last_modified = "2024-03-29"
author = "@petermstewart"
DaysofYara = "89/100"
strings:
$a1 = "3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion"
$b1 = "<title>ENCRYPTED</title>"
$b2 = "the entire network is encrypted"
$b3 = "your business is losing money"
$b4 = "All documents, databases, backups and other critical data were encrypted and leaked"
$b5 = "The program uses a secure AES algorithm"
$b6 = "decryption impossible without contacting us"
$b7 = "To recover your data, please follow the instructions"
$b8 = "Download Tor Browser"
$b9 = "Open decryption page"
$b10 = "Auth using this key"
condition:
filesize < 20KB and
7 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
The Trigona ransomware began operations around October 2022 and has been regularly updated since then with both Windows and Linux/ESXi variants observed in the wild. This rule matches strings found in Windows samples.
rule MAL_Trigona_strings {
meta:
description = "Matches strings found in Trigona ransomware samples."
last_modified = "2024-03-28"
author = "@petermstewart"
DaysofYara = "88/100"
sha256 = "fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b"
sha256 = "d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a"
strings:
$a1 = "how_to_decrypt" wide
$b1 = "nolocal"
$b2 = "nolan"
$b3 = "shutdown"
$b4 = "random_file_system"
$b5 = "fullmode"
$b6 = "erasemode"
$b7 = "network_scan_finished"
$b8 = "is_testing"
condition:
uint16(0) == 0x5a4d and
$a1 and
4 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Today’s rule matches strings found in the note dropped post-encryption by the Yanluowang ransomware.
rule MAL_Yanluowang_ransomnote {
meta:
description = "Matches strings found in Yanluowang ransom notes."
last_modified = "2024-03-27"
author = "@petermstewart"
DaysofYara = "87/100"
strings:
$a1 = "since you are reading this it means you have been hacked"
$a2 = "encrypting all your systems"
$a3 = "Here's what you shouldn't do"
$a4 = "Do not try to decrypt the files yourself"
$a5 = "do not change the file extension yourself"
$a6 = "Keep us for fools"
$a7 = "Here's what you should do right after reading it"
$a8 = "send our message to the CEO of the company, as well as to the IT department"
$a9 = "you should contact us within 24 hours by email"
$a10 = "As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption"
$a11 = "Mails to contact us"
condition:
filesize < 5KB and
8 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
The Yanluowang ransomware was first observed in late 2021, and has been reported to utilise code-signing on their binaries. This rule relies on PDB path and usage strings found in Windows samples.
rule MAL_Yanluowang_strings {
meta:
description = "Matches function name strings found in Yanluowang ransomware samples."
last_modified = "2024-03-26"
author = "@petermstewart"
DaysofYara = "86/100"
sha256 = "49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d"
sha256 = "d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c"
strings:
$a1 = "C:\\Users\\111\\Desktop\\wifi\\project\\ConsoleApplication2\\Release\\ConsoleApplication2.pdb"
$a2 = "C:\\Users\\cake\\Desktop\\project-main\\project-main\\ConsoleApplication2\\cryptopp-master"
$a3 = "Syntax: encrypt.exe [(-p,-path,--path)<path>]"
$a4 = "yanluowang"
condition:
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Today’s rule matches strings in the note dropped by Cactus ransomware post-encryption:
rule MAL_Cactus_ransomnote {
meta:
description = "Matches strings found in ransom notes dropped by Cactus ransomware."
last_modified = "2024-03-23"
author = "@petermstewart"
DaysofYara = "83/100"
strings:
$a1 = "cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion"
$a2 = "sonarmsng5vzwqezlvtu2iiwwdn3dxkhotftikhowpfjuzg7p3ca5eid.onion"
$a3 = "cactus2tg32vfzd6mwok23jfeolh4yxrg2obzlsyax2hfuka3passkid.onion"
$b1 = "encrypted by Cactus"
$b2 = "Do not interrupt the encryption process"
$b3 = "Otherwise the data may be corrupted"
$b4 = "wait until encryption is finished"
$b6 = "TOX (https://tox.chat):"
$b7 = "7367B422CD7498D5F2AAF33F58F67A332F8520CF0279A5FBB4611E0121AE421AE1D49ACEABB2"
condition:
filesize < 5KB and
1 of ($a*) or
5 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cactus ransomware was first observed in March 2023, and makes heavy use of data-theft as leverage in ransom negotiations. This rule matches strings found in Windows Cactus samples.
rule MAL_Cactus_strings {
meta:
description = "Matches strings found in Cactus ransomware samples."
last_modified = "2024-03-22"
author = "@petermstewart"
DaysofYara = "82/100"
sha256 = "1ea49714b2ff515922e3b606da7a9f01732b207a877bcdd1908f733eb3c98af3"
sha256 = "c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"
strings:
$a1 = "vssadmin delete shadows /all /quiet" wide
$a2 = "WMIC shadowcopy delete" wide
$a3 = "bcdedit /set {default} bootstatuspolicy ignoreallfailures" wide
$a4 = "bcdedit /set {default} recoveryenabled no" wide
$a5 = "cAcTuS" wide
$a6 = "CaCtUs.ReAdMe.txt" wide
$a7 = "schtasks.exe /create /sc MINUTE /mo 5 /rl HIGHEST /ru SYSTEM /tn \"Updates Check Task\" /tr \"cmd /c cd C:\\ProgramData &&" wide
$a8 = "C:\\Windows\\system32\\schtasks.exe /run /tn \"Updates Check Task\"" wide
condition:
uint16(0) == 0x5a4d and
6 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Chaos is a relatively unsophisticated ransomware which has been in development since 2021. Since then multiple versions of the ransomware binary have been observed, and the associated builder has leaked from private forums to GitHub.
This rule attempts to identify Chaos binaries based on function names and also caught the previously unidentified ransomware from Day 56.
rule MAL_ChaosRansom_strings {
meta:
description = "Matches function name strings found in Chaos ransomware samples."
last_modified = "2024-03-19"
author = "@petermstewart"
DaysofYara = "79/100"
sha256 = "1ba5ab55b7212ba92a9402677e30e45f12d98a98f78cdcf5864a67d6c264d053"
sha256 = "a98bc2fcbe8b3c7ea9df3712599a958bae0b689ae29f33ee1848af7a038d518a"
strings:
$a1 = "encryptionAesRsa"
$a2 = "encryptedFileExtension"
$a3 = "checkdeleteShadowCopies"
$a4 = "checkdisableRecoveryMode"
$a5 = "bytesToBeEncrypted"
condition:
uint16(0) == 0x5a4d and
4 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 