ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Yara Signature For Holy Ghost Group Ransomware
GuitarBob


Joined: 09 Jul 2006
Posts: 4879
Location: USA
Reply with quote
Below are 2 Yara signatures for ransomware from the North Korean Holy Ghost group. It looks like they are doing this for themselves instead of for the North Korean govermnent, however.

Copy the signatures to a new Notepad file from the word rule to the ending } and save it as a file named Sienna.yar in the ClamWin database folder. Save it in All Files format. The file name should be Sienna.yar and nothing else.

After you save a signature file (.hdb, .mdb or .yar) in the ClamWin database folder, scan a file with ClamWin to make sure it works. If you get a scan error, accept my apology, and delete the signature file from the database folder or delete only those signatures that you just posted to an existing mdb or hdb file and re-save it after first removing any blank lines in the signature file. For multiple signature files, run a scan after you save each file to help you locate a file that could cause a scan error.

After 4 weeks, the malware will probably be updated, so you can delete mdb and hdb signatures then. The date (USA) and time (24 hr) are the last two items in each mdb and hdb signature. Yara signatures can be kept permanently if they are not for a specific malware—keep those for two or three months. This is a specific signature--delete after 3 months.

Thanks to Microsoft!

rule SiennaPurple
{
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples"
hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd"
strings:
$s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb"
$s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion"
$s3 = "H0lyGh0st@mail2tor.com"
$s4 = "We are <HolyGhost>. All your important files are stored and encrypted."
$s5 = "aic^ef^bi^abc0"
$s6 = "---------------------------3819074751749789153841466081"

condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
filesize < 7MB and filesize > 1MB and
all of ($s*)
}

rule SiennaBlue
{
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples"
hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86"
hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219"
strings:
$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"
$holylocker_s3 = "HolyLocker/Main.ContactEmail"
$holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer"
$holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet"

$holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go"
$holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail"
$holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension"
$holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer"
$holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet"
$s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite"
$s2 = ".h0lyenc"
$go_prefix = "Go build ID:"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
filesize < 7MB and filesize > 1MB and
$go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*))
}
View user's profileSend private message
Yara Signature For Holy Ghost Group Ransomware
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic