-
Notifications
You must be signed in to change notification settings - Fork 0
/
ekans_ransomware_rule.yar
35 lines (35 loc) · 1.32 KB
/
ekans_ransomware_rule.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rule EkansRansomware
{
meta:
author = "Generated by Malcore on 06-12-2020 (contact@penetrum.com)"
ref = "https://penetrum.com"
strings:
$a = "2006-01-02T15:04:05Z07:0029103830456733703613281257"
$b = "reflect.(*funcType).uncommon"
$c = "TimePostQueuedCompletionStatusQueryPerformanceFrequency"
$d = "*map[string]syntax.charGroup"
$e = "regexp/syntax.(*compiler).plus"
$f = "type..eq.syscall.StartupInfo"
$g = "**pbopnijecnfbnimbiham.Ogcljlcbfdgpbchgheed"
$h = "main.igkdjigbmmblodcncggh.func2"
$i = "main.igkdjigbmmblodcncggh.func3"
$j = "main.igkdjigbmmblodcncggh.func4"
$k = "main.igkdjigbmmblodcncggh.func5"
$l = "main.igkdjigbmmblodcncggh.func6"
$m = "main.igkdjigbmmblodcncggh.func7"
$n = "*context.deadlineExceededError"
$o = "main.igkdjigbmmblodcncggh.func9"
$p = "main.kbbjdjedhblphedhbnam.func524"
$q = "main.kbbjdjedhblphedhbnam.func525"
$r = "main.kbbjdjedhblphedhbnam.func522"
$s = "main.kbbjdjedhblphedhbnam.func523"
$t = "main.kbbjdjedhblphedhbnam.func520"
$u = "main.kbbjdjedhblphedhbnam.func521"
$v = "reflect.(*funcTypeFixed4).Out"
$w = "regexp/syntax.(*parser).swapVerticalBar"
$x = "main.dofklgmjpheaccjnjpga.func1"
$y = "lfaajlodidnplgehhlkp/inkogifkdegjbllhdpph/inkogifkdegjbllhdpph.(*Gjbbikpdjhmmjoeocgja"
$z = "main.hldpkiahinjlfneeccbg.func1"
condition:
13 of them
}