There is no description at this point.
https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/ |
https://securelist.com/the-shade-encryptor-a-double-threat/72087/ |
rule win_troldesh_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2018-11-23"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh"
malpedia_version = "20180607"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 0f848d040000 83bec404000000 7420 8b86c0040000 }
// n = 4, score = 5000
// 0f848d040000 | je 0x4608e1
// 83bec404000000 | cmp dword ptr [esi + 0x4c4], 0
// 7420 | je 0x46047d
// 8b86c0040000 | mov eax, dword ptr [esi + 0x4c0]
$sequence_1 = { 0f82b5fdffff 8a4701 884302 3c01 }
// n = 4, score = 5000
// 0f82b5fdffff | jb 0x483b51
// 8a4701 | mov al, byte ptr [edi + 1]
// 884302 | mov byte ptr [ebx + 2], al
// 3c01 | cmp al, 1
$sequence_2 = { 0f849f000000 ff75f4 8d85f0fdffff 50 }
// n = 4, score = 5000
// 0f849f000000 | je 0x461f96
// ff75f4 | push dword ptr [ebp - 0xc]
// 8d85f0fdffff | lea eax, dword ptr [ebp - 0x210]
// 50 | push eax
$sequence_3 = { 0f8498040000 f7430800400000 0f858b040000 8b45e4 }
// n = 4, score = 5000
// 0f8498040000 | je 0x47ff2e
// f7430800400000 | test dword ptr [ebx + 8], 0x4000
// 0f858b040000 | jne 0x47ff2e
// 8b45e4 | mov eax, dword ptr [ebp - 0x1c]
$sequence_4 = { 01750c 897704 8b5d08 837d1000 }
// n = 4, score = 5000
// 01750c | add dword ptr [ebp + 0xc], esi
// 897704 | mov dword ptr [edi + 4], esi
// 8b5d08 | mov ebx, dword ptr [ebp + 8]
// 837d1000 | cmp dword ptr [ebp + 0x10], 0
$sequence_5 = { 0f8411feffff 83477c32 807b2504 8b5b20 }
// n = 4, score = 5000
// 0f8411feffff | je 0x4a144e
// 83477c32 | add dword ptr [edi + 0x7c], 0x32
// 807b2504 | cmp byte ptr [ebx + 0x25], 4
// 8b5b20 | mov ebx, dword ptr [ebx + 0x20]
$sequence_6 = { 0f844dffffff ff75f4 8b4df8 ff75fc }
// n = 4, score = 5000
// 0f844dffffff | je 0x42c519
// ff75f4 | push dword ptr [ebp - 0xc]
// 8b4df8 | mov ecx, dword ptr [ebp - 8]
// ff75fc | push dword ptr [ebp - 4]
$sequence_7 = { 0f8404010000 8b742418 833e40 7418 }
// n = 4, score = 5000
// 0f8404010000 | je 0x43a5de
// 8b742418 | mov esi, dword ptr [esp + 0x18]
// 833e40 | cmp dword ptr [esi], 0x40
// 7418 | je 0x43a4fb
$sequence_8 = { 0f8458010000 ff7510 8bc7 ff750c }
// n = 4, score = 5000
// 0f8458010000 | je 0x449e2f
// ff7510 | push dword ptr [ebp + 0x10]
// 8bc7 | mov eax, edi
// ff750c | push dword ptr [ebp + 0xc]
$sequence_9 = { 0145fc 8b3e 33c9 e83470ffff }
// n = 4, score = 5000
// 0145fc | add dword ptr [ebp - 4], eax
// 8b3e | mov edi, dword ptr [esi]
// 33c9 | xor ecx, ecx
// e83470ffff | call 0x460e18
condition:
7 of them
}