API tools faq
paste
View difference between Paste ID: qKyLQqGY and FKgEjYHu
SHOW: | | - or go back to the newest paste.
1
/*
2
Four YARA rules to check for payloads on systems. Thanks to sinkholing, encyrption may not occur, BUT you may still have binaries lying around.
3
If you get a match for "WannaDecryptor" and not for Wanna_Sample, then you may have a variant!
4
5
Check out http://yara.readthedocs.io on how to write and add a rule as below and index your

6
rule by the sample hashes.  Add, share, rinse and repeat!

7
*/

8
9
rule WannaDecryptor: WannaDecryptor

10
{

11
        meta:

12
                description = "Detection for common strings of WannaDecryptor"

13
14
        strings:

15
                $id1 = "taskdl.exe"

16
                $id2 = "taskse.exe"

17
                $id3 = "r.wnry"

18
                $id4 = "s.wnry"

19
                $id5 = "t.wnry"

20
                $id6 = "u.wnry"

21
                $id7 = "msg/m_"

22
23
        condition:

24
                3 of them

25
}

26
rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549

27
{

28
        meta:

29
                description = "Specific sample match for WannaCryptor"

30
                MD5 = "84c82835a5d21bbcf75a61706d8ab549"

31
                SHA1 = "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"

32
                SHA256 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"

33
                INFO = "Looks for 'taskdl' and 'taskse' at known offsets"

34
35
        strings:

36
                $taskdl = { 00 74 61 73 6b 64 6c }

37
                $taskse = { 00 74 61 73 6b 73 65 }

38
39
        condition:

40
                $taskdl at 3419456 and $taskse at 3422953

41
}

42
rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904

43
{

44
        meta:

45
                description = "Specific sample match for WannaCryptor"

46
                MD5 = "4da1f312a214c07143abeeafb695d904"

47
                SHA1 = "b629f072c9241fd2451f1cbca2290197e72a8f5e"

48
                SHA256 = "aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c"

49
                INFO = "Looks for offsets of r.wry and s.wry instances"

50
51
        strings:

52
                $rwnry = { 72 2e 77 72 79 }

53
                $swnry = { 73 2e 77 72 79 }

54
55
        condition:

56
                $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639

57
}

58
rule NHS_Strain_Wanna: NHS_Strain_Wanna

59
{

60
        meta:

61
                description = "Detection for worm-strain bundle of Wcry, DOublePulsar"

62
                MD5 = "db349b97c37d22f5ea1d1841e3c89eb4"

63
                SHA1 = "e889544aff85ffaf8b0d0da705105dee7c97fe26"

64
                SHA256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"

65
                INFO = "Looks for specific offsets of c.wnry and t.wnry strings"

66
67
        strings:

68
                $cwnry = { 63 2e 77 6e 72 79 }

69
                $twnry = { 74 2e 77 6e 72 79 }

70
71
        condition:

72
                $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970

73
}
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!