///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////// NETWALKER YARA //////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////

rule crime_win32_netwalker_1 {
meta:
	description = "Detects Netwalker Ransomware Variant"
	author = "@VK_Intel"
	reference = "https://twitter.com/VK_Intel/status/1240767289793929217"
	date = "2020-03-19"

strings:
	$str1 = "unlock"
	$str2 = "spsz"
	$str3 = "onion"


$start_code = {e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? 85 c0 74 ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 6a 01 8b ?? ?? ?? ?? ?? ff d0 6a 01 ff ?? ?? ?? ?? ?? 33 c0 c2 10 00}


condition:
( uint16(0) == 0x5a4d and
( 3 of them )
) or ( all of them )
}

///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////// NETWALKER CONFIG ////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////

{"mpk :"/fqCb2TTvBeb3VoL4lXa1fgDDn+sEO4+mBhIj9vrLEk= ","mode :0,"spsz :15360,"thr :1000,"namesz :8,"idsz :6,"lfile :"{id}-Readme.txt ,"onion :"rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion ,"lend :"SGkhDQpZb3VyIGZpbGVzIGFyZSBlbmNyeXB0ZWQgYnkgTmV0d2Fsa2VyLg0KQWxsIGVuY3J5cHRlZCBmaWxlcyBmb3IgdGhpcyBjb21wdXRlciBoYXMgZXh0ZW5zaW9uOiAue2lkfQ0KDQotLQ0KSWYgZm9yIHNvbWUgcmVhc29uIHlvdSByZWFkIHRoaXMgdGV4dCBiZWZvcmUgdGhlIGVuY3J5cHRpb24gZW5kZWQsDQp0aGlzIGNhbiBiZSB1bmRlcnN0b29kIGJ5IHRoZSBmYWN0IHRoYXQgdGhlIGNvbXB1dGVyIHNsb3dzIGRvd24sIA0KYW5kIHlvdXIgaGVhcnQgcmF0ZSBoYXMgaW5jcmVhc2VkIGR1ZSB0byB0aGUgYWJpbGl0eSB0byB0dXJuIGl0IG9mZiwNCnRoZW4gd2UgcmVjb21tZW5kIHRoYXQgeW91IG1vdmUgYXdheSBmcm9tIHRoZSBjb21wdXRlciBhbmQgYWNjZXB0IHRoYXQgeW91IGhhdmUgYmVlbiBjb21wcm9taXNlZC4NClJlYm9vdGluZy9zaHV0ZG93biB3aWxsIGNhdXNlIHlvdSB0byBsb3NlIGZpbGVzIHdpdGhvdXQgdGhlIHBvc3NpYmlsaXR5IG9mIHJlY292ZXJ5Lg0KDQotLQ0KT3VyICBlbmNyeXB0aW9uIGFsZ29yaXRobXMgYXJlIHZlcnkgc3Ryb25nIGFuZCB5b3VyIGZpbGVzIGFyZSB2ZXJ5IHdlbGwgcHJvdGVjdGVkLCANCnRoZSBvbmx5IHdheSB0byBnZXQgeW91ciBmaWxlcyBiYWNrIGlzIHRvIGNvb3BlcmF0ZSB3aXRoIHVzIGFuZCBnZXQgdGhlIGRlY3J5cHRlciBwcm9ncmFtLg0KDQpEbyBub3QgdHJ5IHRvIHJlY292ZXIgeW91ciBmaWxlcyB3aXRob3V0IGEgZGVjcnlwdGVyIHByb2dyYW0sIHlvdSBtYXkgZGFtYWdlIHRoZW0gYW5kIHRoZW4gdGhleSB3aWxsIGJlIGltcG9zc2libGUgdG8gcmVjb3Zlci4NCg0KRm9yIHVzIHRoaXMgaXMganVzdCBidXNpbmVzcyBhbmQgdG8gcHJvdmUgdG8geW91IG91ciBzZXJpb3VzbmVzcywgd2Ugd2lsbCBkZWNyeXB0IHlvdSBvbmUgZmlsZSBmb3IgZnJlZS4NCkp1c3Qgb3BlbiBvdXIgd2Vic2l0ZSwgdXBsb2FkIHRoZSBlbmNyeXB0ZWQgZmlsZSBhbmQgZ2V0IHRoZSBkZWNyeXB0ZWQgZmlsZSBmb3IgZnJlZS4NCg0KLS0NCg0KU3RlcHMgdG8gZ2V0IGFjY2VzcyBvbiBvdXIgd2Vic2l0ZToNCg0KMS5Eb3dubG9hZCBhbmQgaW5zdGFsbCB0b3ItYnJvd3NlcjogaHR0cHM6Ly90b3Jwcm9qZWN0Lm9yZy8NCg0KMi5PcGVuIG91ciB3ZWJzaXRlOiB7b25pb259DQoNCjMuUHV0IHlvdXIgcGVyc29uYWwgY29kZSBpbiB0aGUgaW5wdXQgZm9ybToNCg0Ke2NvZGV9 ,"white :{"path :["*system volume information ,"*windows.old ,"*:\users\*\*temp mp","*msocache ,"*:\winnt ","*$windows.~ws ,"*perflogs ,"*boot ,"*:\windows ","*:\program file*\vmware e","\\*\users\*\*temp temp","\\*\winnt nt","\\*\windows ws","*\program file*\vmware e","*appdata*microsoft ,"*appdata*packages ,"*microsoft\provisioning ","*dvd maker ,"*Internet Explorer ,"*Mozilla ,"*Mozilla* ,"*Old Firefox data ,"*\program file*\windows media* *","*\program file*\windows portable* *","*windows defender ,"*\program file*\windows nt t","*\program file*\windows photo* *","*\program file*\windows side* *","*\program file*\windowspowershell l","*\program file*\cuass* *","*\program file*\microsoft games s","*\program file*\common files\system em","*\program file*\common files\*shared ed","*\program file*\common files\reference ass* s*","*\windows\cache* *","*temporary internet* ,"*media player ,"*:\users\*\appdata\*\microsoft soft","\\*\users\*\appdata\*\microsoft rosoft"],"file :["ntuser.dat* ,"iconcache.db ,"gdipfont*.dat ,"ntuser.ini ,"usrclass.dat ,"usrclass.dat* ,"boot.ini ,"bootmgr ,"bootnxt ,"desktop.ini ,"ntuser.dat ,"autorun.inf ,"ntldr ,"thumbs.db ,"bootsect.bak ,"bootfont.bin ],"ext :["msp ,"exe ,"sys ,"msc ,"mod ,"clb ,"mui ,"regtrans-ms ,"theme ,"hta ,"shs ,"nomedia ,"diagpkg ,"cab ,"ics ,"msstyles ,"cur ,"drv ,"icns ,"diagcfg ,"dll ,"ocx ,"lnk ,"ico ,"idx ,"ps1 ,"mpa ,"cpl ,"icl ,"msu ,"msi ,"nls ,"scr ,"adv ,"386 ,"com ,"hlp ,"rom ,"lock ,"386 ,"wpx ,"ani ,"prf ,"rtp ,"ldf ,"key ,"diagcab ,"cmd ,"spl ,"deskthemepack ,"bat ,"themepack ]},"kill :{"use :true,"prc :["nslsvice.exe ,"pg* ,"nservice.exe ,"cbvscserv* ,"ntrtscan.exe ,"cbservi* ,"hMailServer* ,"IBM* ,"bes10* ,"black* ,"apach* ,"bd2* ,"db* ,"ba* ,"be* ,"QB* ,"oracle* ,"wbengine* ,"vee* ,"postg* ,"sage* ,"sap* ,"b1* ,"fdlaunch* ,"msmdsrv* ,"report* ,"msdtssr* ,"coldfus* ,"cfdot* ,"swag* ,"swstrtr* ,"jetty.exe ,"wrsa.exe ,"team* ,"agent* ,"store.exe ,"sql* ,"sqbcoreservice.exe ,"thunderbird.exe ,"ocssd.exe ,"encsvc.exe ,"excel.exe ,"synctime.exe ,"mspub.exe ,"ocautoupds.exe ,"thebat.exe ,"dbeng50.exe ,"*sql* ,"mydesktopservice.exe ,"onenote.exe ,"outlook.exe ,"powerpnt.exe ,"msaccess.exe ,"tbirdconfig.exe ,"wordpad.exe ,"ocomm.exe ,"dbsnmp.exe ,"thebat64.exe ,"winword.exe ,"oracle.exe ,"xfssvccon.exe ,"firefoxconfig.exe ,"visio.exe ,"mydesktopqos.exe ,"infopath.exe ,"agntsvc.exe ],"svc :["Lotus* ,"veeam* ,"cbvscserv* ,"hMailServer ,"backup* ,"*backup* ,"apach* ,"firebird* ,"ibmiasrw ,"IBM Domino* ,"Simply Accounting Database Connection Manager ,"IASJet ,"QB* ,"*sql* ,"sql* ,"QuickBooksDB* ,"IISADMIN ,"omsad ,"dc*32 ,"server Administrator ,"wbengine ,"mr2kserv ,"MSExchange* ,"ShadowProtectSvc ,"SP*4 ,"teamviewer ,"MMS ,"AcronisAgent ,"ARSM ,"AcrSch2Svc ,"vsnapvss ,"SPXService ,"StorageCraft ImageManager ,"wrsvc ,"stc_endpt_svc ,"acrsch2svc* ],"svcwait :0,"task :["reboot ,"restart ,"shutdown ,"logoff ,"back ]},"net :{"use :true,"ignore :{"use :true,"disk :true,"share :["ipc$ ,"admin$ ]}},"unlocker :{"use :true,"ignore :{"use :true,"pspath :["*:\windows* ","*:\winnt* ","*:\program file*\vmwar* *","*\Program File*\Fortinet t"],"prc :["psexec.exe ,"system ,"forti*.exe ,"fmon.exe ,"fcaptmon.exe ,"FCHelper64.exe ]}}}