YARA rules for WannaCry
4 rules · scoped to tool · back to WannaCry
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule WannaCry_Ransomware {
meta:
description = "Detects WannaCry Ransomware"
author = "Florian Roth (Nextron Systems) (with the help of binar.ly)"
reference = "https://goo.gl/HG2j5T"
date = "2017-05-12"
hash1 = "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
id = "2e46b4db-8c94-53ed-ae27-31dd37b04940"
strings:
$x1 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$x2 = "taskdl.exe" fullword ascii
$x3 = "tasksche.exe" fullword ascii
$x4 = "Global\\MsWinZonesCacheCounterMutexA" fullword ascii
$x5 = "WNcry@2ol7" fullword ascii
$x6 = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
$x7 = "mssecsvc.exe" fullword ascii
$x8 = "C:\\%s\\qeriuwjhrf" fullword ascii
$x9 = "icacls . /grant Everyone:F /T /C /Q" fullword ascii
$s1 = "C:\\%s\\%s" fullword ascii
$s2 = "<!-- Windows 10 --> " fullword ascii
$s3 = "cmd.exe /c \"%s\"" fullword ascii
$s4 = "msg/m_portuguese.wnry" fullword ascii
$s5 = "\\\\192.168.56.20\\IPC$" fullword wide
$s6 = "\\\\172.16.99.5\\IPC$" fullword wide
$op1 = { 10 ac 72 0d 3d ff ff 1f ac 77 06 b8 01 00 00 00 }
$op2 = { 44 24 64 8a c6 44 24 65 0e c6 44 24 66 80 c6 44 }
$op3 = { 18 df 6c 24 14 dc 64 24 2c dc 6c 24 5c dc 15 88 }
$op4 = { 09 ff 76 30 50 ff 56 2c 59 59 47 3b 7e 0c 7c }
$op5 = { c1 ea 1d c1 ee 1e 83 e2 01 83 e6 01 8d 14 56 }
$op6 = { 8d 48 ff f7 d1 8d 44 10 ff 23 f1 23 c1 }
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and ( 1 of ($x*) and 1 of ($s*) or 3 of ($op*) )
}
rule WannaCry_Ransomware_Gen {
meta:
description = "Detects WannaCry Ransomware"
author = "Florian Roth (Nextron Systems) (based on rule by US CERT)"
reference = "https://www.us-cert.gov/ncas/alerts/TA17-132A"
date = "2017-05-12"
hash1 = "9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05"
hash2 = "8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df"
hash3 = "4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359"
id = "d28d3d76-9c24-5476-9a0c-936c17477d6a"
strings:
$s1 = "__TREEID__PLACEHOLDER__" ascii
$s2 = "__USERID__PLACEHOLDER__" ascii
$s3 = "Windows for Workgroups 3.1a" fullword ascii
$s4 = "PC NETWORK PROGRAM 1.0" fullword ascii
$s5 = "LANMAN1.0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
rule WannaCry_RansomNote {
meta:
description = "Detects WannaCry Ransomware Note"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/HG2j5T"
date = "2017-05-12"
hash1 = "4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e"
id = "65ce8faf-0981-5382-bc15-f094ccaa9f54"
strings:
$s1 = "A: Don't worry about decryption." fullword ascii
$s2 = "Q: What's wrong with my files?" fullword ascii
condition:
( uint16(0) == 0x3a51 and filesize < 2KB and all of them )
}
rule APT_lazaruswannacry {
meta:
description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta"
date = "2017-05-15"
reference = "https://twitter.com/neelmehta/status/864164081116225536"
author = "Costin G. Raiu, Kaspersky Lab"
version = "1.0"
hash = "9c7c7149387a1c79679a87dd1ba755bc"
hash = "ac21c8ad899727137c4b94458d7aa8d8"
id = "e9dd9750-2366-503a-a879-972dbead6bf3"
strings:
$a1 = { 51 53 55 8B 6C 24 10 56 57 6A 20 8B 45 00 8D 75
04 24 01 0C 01 46 89 45 00 C6 46 FF 03 C6 06 01 46
56 E8 }
$a2 = { 03 00 04 00 05 00 06 00 08 00 09 00 0A 00 0D 00
10 00 11 00 12 00 13 00 14 00 15 00 16 00 2F 00
30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00
38 00 39 00 3C 00 3D 00 3E 00 3F 00 40 00 41 00
44 00 45 00 46 00 62 00 63 00 64 00 66 00 67 00
68 00 69 00 6A 00 6B 00 84 00 87 00 88 00 96 00
FF 00 01 C0 02 C0 03 C0 04 C0 05 C0 06 C0 07 C0
08 C0 09 C0 0A C0 0B C0 0C C0 0D C0 0E C0 0F C0
10 C0 11 C0 12 C0 13 C0 14 C0 23 C0 24 C0 27 C0
2B C0 2C C0 FF FE }
condition:
uint16(0) == 0x5A4D and filesize < 15000000 and all of them
}