File: windows-malware.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (304 lines) | stat: -rw-r--r-- 41,850 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
# Sagan windows-malware.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16464"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16464; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001735; sid: 5001735; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16465"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16465; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001736; sid: 5001736; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16470"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16470; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001737; sid: 5001737; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16471"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; default_proto: udp; default_dst_port: 16471; classtype: network-event; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001738; sid: 5001738; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Black POS Malware Detected [5/5]"; pcre: "/ 4657: | 567: | 4688: | 592: /"; content: "POSWDS"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001951; sid: 5001951; rev:6;)


#*************************************************************
# These rules are base upon research by Russ Anthony.  More
# information can be found in his white paper at:
# 
# https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262
#*************************************************************


alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender|Anti-Virus|antivirus/i"; content: "stop control"; xbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:9;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious misspelled process"; pcre: "/ 4688: | 592: /"; pcre: "/(scvhost|svcdost|scvdost|iexplorer)\.exe/i"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001999; sid: 5001999; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Lower case drive letter used in process"; pcre: "/ 4688: | 592: /"; meta_content: "File Name|3a| %sagan%|3a|",c,d,e; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002000; sid: 5002000; rev:5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for svchost.exe"; pcre: "/ 4688: | 592: /"; content: "\svchost.exe"; content:!"C|3a|\WINDOWS\System32\svchost.exe"; nocase; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002001; sid: 5002001; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for explorer.exe"; pcre: "/ 4688: | 592: /"; content: "\explorer.exe"; content:!"C|3a|\WINDOWS\explorer.exe"; nocase; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002002; sid: 5002002; rev:4;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious application crash"; content: " 4097|3a| "; pcre: "/Adobe|Microsoft Office|Java|wmplayer/"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002003; sid: 5002003; rev:5;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Tool Event"; pcre: "/ 4688: | 592: /"; pcre: "/win32dd.exe|win64dd.exe|cachedump|fgdump|gsecdump|lslsass|mimikatz|pwdump7|pwdumpx|pwdump|wce.exe|getlsasrvaddr|iam.exe|iam-alt|whosthere.exe|whosthere-alt|genhash|lsadump/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002006; sid: 5002006; rev:6;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Virus Found!"; content: "virus found"; nocase; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002007; sid: 5002007; rev:2;)

# Added by Champ Clark - 08/26/2014 

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] RASWMI Malware process detected"; pcre: "/ 4688: | 592: /"; content: "|3a|\Windows\system32\wbem\raswmi.dll"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002103; sid:5002103; rev:4;)

# Added by Champ Clark - 06/08/2016

# Security-Auditing| 4663: AUDIT_SUCCESS An attempt was made to access an object. Subject: *Security ID: S-1-5-21-3033682373-1303307761-3711879957-1000 Account Name: frankw Account Domain: frankw-PC Logon ID: 0x144f4 Object: Object Server: *Security Object Type: File Object Name: C:\ProgramData\Microsoft\User Account Pictures\B2DFD6E96212209F0583673878AA9EF6.locky Handle ID: 0x5d68 Process Information: Process ID: 0x6a8 Process Name: C:\Users\frankw\AppData\Local\Temp\30e22374e00af038d06063db14cb3797.exe Access Request Information: Accesses: WriteAttributes Access Mask: 0x100

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Locky or AutoLocky ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".locky "; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002801; sid:5002801; reference: url,decrypter.emsisoft.com; rev:6;)

# Ransomware rules By Corey Fisher (cfisher@quadrantsec.com) & Bryan Manradge.
# 04/11/2016

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Locky ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "_Locky_recover_instructions.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002804; sid:5002804; rev:4;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall 4.0 ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/HELP_YOUR_FILES|DECRYPT_INSTRUCTION/i"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4; reference: url,wiki.quadrantsec.com/bin/view/Main/5002805; sid:5002805; rev:5;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryptowall ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "HELP_DECRYPT.txt"; content: "WriteData"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002806; sid:5002806; rev:4;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite/DecryptorMax ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "ReadDecryptFilesHere.txt"; program: *Security*; classtype: trojan-activity; reference: url,http://www.bleepingcomputer.com/news/security/cryptinfinite-or-decryptormax-ransomware-decrypted/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002807; reference: url,decrypter.emsisoft.com;sid:5002807; rev:5;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/HELP_TO_DECRYPT_YOUR_FILES.txt|Howto_Restore_FILES.txt|_how_recover_.TXT|_H_e_l_p_RECOVER_INSTRUCTIONS.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.pcrisk.com/removal-guides/8724-teslacrypt-virus; reference: url,wiki.quadrantsec.com/bin/view/Main/5002808; sid:5002808; rev:5;)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Teslacrypt ransomware note type 2 detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\+-xxx-HELP-xxx-\+[0-9a-zA-Z]+-\+\.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,www.virustotal.com/en/file/161d1b77a6867603745046e81e52a186ea764ba8c723c9698da707c245505e95/analysis/1458765163/; reference: url,wiki.quadrantsec.com/bin/view/Main/5002809; sid:5002809; rev:5;)

# More Ransomware rules by Champ Clark (cclark@quadrantsec.com). 
#
# Data for these ransomware rules come from: 
# https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g
# http://www.nyxbone.com/malware/RansomwareOverview.html

# CryptoHasYou. - Trojan:Win32/Dynamer!ac or Rakhni

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding\"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002819; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002819; rev:8;)

# CryptoHasYou

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransom note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "YOUR_FILES_ARE_LOCKED.txt"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002820; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002820; rev:5;)

# 7ev3n - Ransom:Win32/Empercrypt.A

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] 7ev3n - Ransom:Win32/Empercrypt.A ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content:".%sagan% ",R5A,R4A; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002821;reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url, https://github.com/hasherezade/malware_analysis/tree/master/7ev3n; sid:5002821; rev:8;)

# BitCryptor - Win32/Cribit or CoinVault - Ransom: MSIL/Vaultlock.A 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Win32/Cribit or MSIL/Vaultlock.A ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".clf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002822; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,noransom.kaspersky.com; sid:5002822; rev:7;)

# Cerber - Win32/Cerber

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cerber - Win32/Cerber ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cerber "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002823; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002823; rev:6;)

# Chimera - Win32/Chicrypt 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Chimera - Win32/Chicrypt ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002824; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html;sid:5002824; rev:6;)

# Coverton

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", coverton,enigma,czvxce; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002825; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002825; rev:6;)

# CryptInfinite

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crinf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002826; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002826; rev:6;)

# CryptoJoker

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptInfinite ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crjoker "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002827; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002827; rev:6;)

# CryptoTorLocker2015

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptoTorLocker2015 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CryptoTorLocker2015! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002828; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002828; rev:6;)

# CryptXXX or Gomasom

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptXXX or Gomasom ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002829; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002829; rev:6;)

# Hi Buddy! or Rakhni

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Hi Buddy! or Rakhni ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cry "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002830; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002830; rev:6;)

# iLock, iLockLight or Lortok

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] iLock, iLockLight or Lortok ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crime "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002831; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002831; rev:6;)

# Jigsaw - Ransom:MSIL/JigsawLocker.A

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Jigsaw - MSIL/JigsawLocker.A"; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", btc,kkk,fun,gws; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002832; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom; sid:5002832; rev:6;)

# Job Crypter, KimcilWare, SkidLocker, Pompous, Strictor or Rakhni

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] EDA2,HiddenTear,Job Crypter,KimcilWare,SkidLocker,Pompous,Strictor or Rakhni ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".locked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002833; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002833; rev:7;)

# KeyBTC - Ransom: Win32/Isda - Ransom: BAT/Xibow

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KeyBTC - Win32/Isda - BAT/Xibow ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".keybtc@inbox_com "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002834; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002834; rev:6;)

# KimcilWare

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] KimcilWare ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".kimcilware "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002835; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it; sid:5002835; rev:7;)

# LeChiffre

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LeChiffre ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".lechiffre "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002836; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com/lechiffre; sid:5002836; rev:6;)

# LowLevel04

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] LowLevel04 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".oor."; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002847; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002847; rev:6;)

# Magic

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Magic ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".magic "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002837; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002837; rev:6;)

# MireWare

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] MireWare ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".fucked "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002838; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002838; rev:6;)

# Nemucod

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Nemucod ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".crypted "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002839; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; reference: url,github.com/Antelox/NemucodFR; sid:5002839; rev:8;)


# Offline ransomware

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Offline ransomware ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".cbf "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002840; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002840; rev:6;)

# OMG! Ransomware

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] OMG! ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".LOL! "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002841; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002841; rev:5;)

# Radamant 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Radamant ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".RADAMANT "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002842; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,decrypter.emsisoft.com; sid:5002842; rev:5;)

# Rakhni

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Coverton or Torrentlocker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",kraken,darkness,nochance,oshit,oplata@qq_com,relock@qq_com,crypto,helpdecrypt@ukr.net,pizda@qq_com,dyatel@qq_com,_ryp,nalog@qq_com,chifrator@qq_com,gruzin@qq_com,troyancoder@qq_com,encrypted,AES256,hb15; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002843; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/us/viruses/disinfection/10556; sid:5002843; rev:7;)

# RemindMe

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] RemindMe ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.remindme |decrypt_your_files.html/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002844; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002844; rev:6;)

# Rokku

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Rokku ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".rokku "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002845; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002845; rev:5;)

# Samas-Samsam

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Samas-Samsam ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",encryptedAES,encryptedRSA,encedRSA,justbtcwillhelpyou,btcbtcbtc; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002846; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002846; rev:6;)

# Sanction

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sanction ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".sanction "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002848; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002848; rev:5;)

# Sport

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Sport ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".sport "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002849; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002849; rev:4;)

# Surprise

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Surprise ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".suprise "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002850; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002850; rev:5;) 

# TeslaCrypt 0.x - 2.2.0 (defunct)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 0.x - 2.2.0 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",vvv,ecc,exx,ezz,abc,aaa,zzz,xyz; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002851; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt; reference: url,www.talosintel.com/teslacrypt_tool; sid:5002851; rev:4;)

# TeslaCrypt 3.0+ (defunct)

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TeslaCrypt 3.0+ ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",micro,xxx,ttt; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002852; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002852; rev:4;)

# Troldesh

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Troldesh ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",better_call_saul,xtbl; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002853; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002853; rev:3;)

# VaultCrypt

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zlader / Russian or VaultCrypt ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",vault,xort; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002854; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002854; rev:4;)

# Virus-Encoder

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Virus-Encoder ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002855; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002855; rev:4;)

# Xorist

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Xorist ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ", EnCiPhErEd,73i87A,p5tkjw,PoAr2w; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002856; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/2911; sid:5002856; rev:4;)

# XRTN 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] XRTN ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".CrySiS "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002857; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002857; rev:4;)

# CryptFIle2

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CryptFIle2 ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002858; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002858; rev:4;)

# Cryaki

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Cryaki ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".scl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002859; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; reference: url,support.kaspersky.com/viruses/disinfection/8547; sid:5002859; rev:5;) 

# CTB-Locker

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] CTB-Locker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".ctbl "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002860; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002860; rev:4;)

# El-Polocker

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] El-Polocker ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".ha3 "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002861; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002861; rev:4;) 

# Mobef

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Mobef ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan% ",KEYZ,KEYH0LES; meta_nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002862; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002862; rev:4;)

# Alpha Ransomware

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Alpha ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content: ".encrypt "; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002863; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002863; rev:4;)

# WonderCrypter

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.h3ll |SECRETISHIDINGHEREINSIDE.KEY|YOUGOTHACKED.TXT/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002864; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002864; rev:6;)

# Zeta

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Zeta ransomware note detected."; pcre: "/ 4663: | 567: | 5145: /"; content: "HELP_YOUR_FILES.HTML"; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002865; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002865; rev:4;)

# PLAUGE17 (?)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.PLAUGE17 |PLAUGE17.TXT/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002866; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002866; rev:6;)

# Unknown strains of ransomware

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] Possible unknown strain ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; pcre: "/\.crypttt |\.8lock8 |\.neitrino |\.xcrypt |!!!ATTENTION.TXT!!!, READ_IT\.TXT|FILES_BACK.TXT|WHAT IS SQ_.txt/i"; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002867; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002867; rev:4;)

# Based off a Tweet by Jack Crook (Twitter: @jackcr) after Derbycon talk.

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Suspicious Service Control Manager Call"; content: " 7045|3a| "; pcre: "/cmd.exe|%COMSPEC%/i"; program: System|Service_Control_Manager; classtype: suspicious-traffic; reference: url,twitter.com/jackcr/status/779716898296520704; sid:5002956; rev:4;)

# Alcatraz ransomware

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] WonderCrypter ransomware extension or note detected."; pcre: "/ 4663: | 567: | 5145: /"; meta_content: ".%sagan%",.Alcatraz,ransomed.html; meta_nocase;; nocase; program: *Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5003024; reference: url,reference: url,www.virustotal.com/en/file/be3afa19c76c2270ccac7eacf68f89603032c0588f721215e15a9d1421567969/analysis/; sid:5003024; rev:3;)

# Adylkuzz trojan rules. 
# Steve Rawls (2017/05/18)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Adylkuzz Trojan service installation detected"; pcre: "/ 4697: | 601: /"; pcre: "/ WELM | WHDMIDE /i"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5003117; reference: url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2; sid:5003116; rev:1;) 

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Adylkuzz Trojan log file detected"; pcre: "/ 4663: | 567: /"; content: "|2e 5f|Miner|5f 2e|log"; classtype: trojan-activity; program: *Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5003117; reference: url, www.symantec.com/security_response/writeup.jsp?docid=2017-051707-0237-99&tabid=2; sid:5003117; rev:1;)

# New Petya rules - these are largely based on "open source" resources!  
# Champ Clark III / 2017/06/27

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5ee4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a,9717cfdc2d023812dbc84a941674eb23a2a8ef06,38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf,56c03d8e43f50568741704aee482704a4f5005ad; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:2;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; pcre: "/ 4663: | 567: | 5145: /"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:3;)