Tag: trigona

#100DaysofYARA 2024 – Day 101 – My Complete Ruleset

That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.

Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.

I hope it’s helpful!

#100DaysofYARA 2024 – Day 89 – Trigona Ransomware Note

Today’s rule matches strings in the Trigona ransom note:

rule MAL_Trigona_ransomnote {
    meta:
        description = "Matches strings found in Trigona ransom notes."
        last_modified = "2024-03-29"
        author = "@petermstewart"
        DaysofYara = "89/100"

    strings:
        $a1 = "3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion"
        $b1 = "<title>ENCRYPTED</title>"
        $b2 = "the entire network is encrypted"
        $b3 = "your business is losing money"
        $b4 = "All documents, databases, backups and other critical data were encrypted and leaked"
        $b5 = "The program uses a secure AES algorithm"
        $b6 = "decryption impossible without contacting us"
        $b7 = "To recover your data, please follow the instructions"
        $b8 = "Download Tor Browser"
        $b9 = "Open decryption page"
        $b10 = "Auth using this key"

    condition:
        filesize < 20KB and
        7 of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 88 – Trigona Ransomware

The Trigona ransomware began operations around October 2022 and has been regularly updated since then with both Windows and Linux/ESXi variants observed in the wild. This rule matches strings found in Windows samples.

rule MAL_Trigona_strings {
    meta:
        description = "Matches strings found in Trigona ransomware samples."
        last_modified = "2024-03-28"
        author = "@petermstewart"
        DaysofYara = "88/100"
        sha256 = "fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b"
        sha256 = "d743daa22fdf4313a10da027b034c603eda255be037cb45b28faea23114d3b8a"

    strings:
        $a1 = "how_to_decrypt" wide
        $b1 = "nolocal"
        $b2 = "nolan"
        $b3 = "shutdown"
        $b4 = "random_file_system"
        $b5 = "fullmode"
        $b6 = "erasemode"
        $b7 = "network_scan_finished"
        $b8 = "is_testing"

    condition:
        uint16(0) == 0x5a4d and
        $a1 and
        4 of ($b*)
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.