diff --git a/malware/RANSOM_graverobber.yar b/malware/RANSOM_graverobber.yar new file mode 100644 index 00000000..e3e955b5 --- /dev/null +++ b/malware/RANSOM_graverobber.yar @@ -0,0 +1,25 @@ +rule MAL_Graverobber_Main_Python +{ + meta: + family = "Graverobber" + variant = "graverobber.py" + description = "Detects Graverobber main Python ransomware payload" + author = "rf-peixoto" + reference = "github.com/rf-peixoto/Graverobber" + confidence = "high" + + strings: + $s_title = "The Graverobber - DO NOT CLOSE THIS WINDOW!" ascii + $s_visit = "You have been visited by the Graverobber. " ascii + $s_nodefile = "node_{0}.txt" ascii + $s_nodesig = "Node Signature: {0}" ascii + $s_aes = "from AesEverywhere import aes256" ascii + $s_bloxplorer = "from bloxplorer import bitcoin_explorer" ascii + $s_file_form = "http://{0}.com/file_form.php" ascii + $s_ping = "ping -c 1 " ascii + + condition: + // Require strong family markers: UI text + crypto + infra pieces + all of ($s_title, $s_visit, $s_nodefile, $s_nodesig) + and $s_aes and $s_bloxplorer and $s_file_form +} diff --git a/malware/RANSOM_graverobber_count_zero.yar b/malware/RANSOM_graverobber_count_zero.yar new file mode 100644 index 00000000..7c6e873c --- /dev/null +++ b/malware/RANSOM_graverobber_count_zero.yar @@ -0,0 +1,26 @@ +rule MAL_Graverobber_CountZero_Python +{ + meta: + family = "Graverobber" + variant = "countzero.py" + description = "Detects CountZero variant" + author = "rf-peixoto" + reference = "github.com/rf-peixoto/Graverobber" + confidence = "high" + + strings: + $s_readme = "CountZero.README.txt" ascii + $s_readmeurl = "file://{0}/CountZero.README.txt" ascii + $s_btc = "BTC Address" ascii + $s_blox = "from bloxplorer import bitcoin_explorer" ascii + $s_form1 = "http://127.0.0.1/file_form.php" ascii + $s_form2 = "http://{0}.com/file_form.php" ascii + $s_ping = "ping -c 1 " ascii + $s_fileup = "fileToUpload" ascii + + condition: + // Ransom note + BTC + C2 infra + bloxplorer + $s_readme and $s_btc + and any of ($s_form1, $s_form2) + and $s_blox and $s_fileup and $s_ping +} diff --git a/malware/RANSOM_graverobber_qv1m3r4.yar b/malware/RANSOM_graverobber_qv1m3r4.yar new file mode 100644 index 00000000..06f9a335 --- /dev/null +++ b/malware/RANSOM_graverobber_qv1m3r4.yar @@ -0,0 +1,22 @@ +rule MAL_Graverobber_Qv1m3r4_Python +{ + meta: + family = "Graverobber" + variant = "qv1m3r4.py" + description = "Detects qv1m3r4 variant" + author = "rf-peixoto" + reference = "github.com/rf-peixoto/Graverobber" + confidence = "high" + + strings: + $s_egg1 = "egg_{0}.txt" ascii + $s_nodesig = "Node Signature: {0}\\n" ascii + $s_qv = "qv1m3r4" ascii + $s_note_1 = "Send a message to our@email.com to get in touch." ascii + $s_note_url = "file://{0}/egg_{1}.txt" ascii + $s_aes = "from AesEverywhere import aes256" ascii + + condition: + $s_qv and $s_egg1 and $s_nodesig + and $s_aes and any of ($s_note_1, $s_note_url) +} diff --git a/malware/WIPER_graverobber_river_lethe.yar b/malware/WIPER_graverobber_river_lethe.yar new file mode 100644 index 00000000..645baffb --- /dev/null +++ b/malware/WIPER_graverobber_river_lethe.yar @@ -0,0 +1,26 @@ +rule MAL_Graverobber_RiverLethe_Python +{ + meta: + family = "Graverobber" + variant = "river_lethe.py" + description = "Detects River Lethe variant" + author = "rf-peixoto" + reference = "github.com/rf-peixoto/Graverobber" + confidence = "high" + + strings: + $s_title = "River Lethe" ascii + $s_msg1 = "Everything you had is lost in oblivion." ascii + $s_msg2 = "Send a signal to EMAIL and we will to guide you in this journey." ascii + $s_btc = "BTC Address" ascii + $s_blox = "from bloxplorer import bitcoin_explorer" ascii + $s_form1 = "http://127.0.0.1/file_form.php" ascii + $s_form2 = "http://{0}.com/file_form.php" ascii + $s_ping = "ping -c 1 " ascii + + condition: + all of ($s_title, $s_msg1, $s_msg2) + and $s_blox and $s_btc + and any of ($s_form1, $s_form2) + and $s_ping and $s_fileup +}