Common Information
| Type | Value |
|---|---|
| Value |
rule FE_Ransomware_Win_ROLLCOAST_1 {
meta:
author = "Mandiant"
date_created = "2020-07-15"
date_modified = "2020-07-15"
md5 = "45882426ecddb032981fd6c299b3cc47"
rev = 2
strings:
$s2 = "\x00lolz\x00" wide
$s3 = "\x00Start encryption of %s\x0a\x0a\x00" wide
$s4 = "\x00Finished encryption of %s\x0a\x0a\x00" wide
$s5 = "\x00FOUND DEVICE: \x0a\x00" wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |