Common Information
| Type | Value |
|---|---|
| Value |
import "elf"
rule deadbolt_uncompressed : ransomware {
meta:
description = "Looks for configuration fields in the JSON parsing code"
author = "Trend Micro Research"
date = "2022-03-23"
hash = "444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf"
hash = "80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c"
hash = "e16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77"
strings:
$ = "json:\"key\""
$ = "json:\"cgi_path\""
$ = "json:\"client_id\""
$ = "json:\"vendor_name\""
$ = "json:\"vendor_email\""
$ = "json:\"vendor_amount\""
$ = "json:\"payment_amount\""
$ = "json:\"vendor_address\""
$ = "json:\"master_key_hash\""
$ = "json:\"payment_address\""
$ = "json:\"vendor_amount_full\""
condition:
elf.type == elf.ET_EXEC and all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |