Category: 100 days of Yara

100 Days of YARA – Day 18: Yanluowang Ransomware

On By DanielIn 100 days of Yara1 Comment

Another ransomware strain is known as Yanluowang. Here are some of my bookmarks that I've tagged as Yanluowang: https://pinboard.in/u:droberson/t:yanluowang/ This blog post by Symantec was very interesting to me, as it presented a lot of generic examples of post-exploitation activity that was observed by the operators of this ransomware: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue Particularly, this article mentions the …

Continue reading 100 Days of YARA – Day 18: Yanluowang Ransomware

100 Days of YARA – Day 16: Public Services

On By DanielIn 100 days of Yara2 Comments

Malware authors often abuse free or public services to distribute malicious content. They may host payloads on DropBox or Discord, Google Drive, PasteBin, or a number of services. Searching for the domains used by these services can uncover malware in surprising places. Ngrok ngrok is used to tunnel traffic through HTTP. Despite being a legitimate …

Continue reading 100 Days of YARA – Day 16: Public Services

100 Days of YARA – Day 8: Salsa20

On By DanielIn 100 days of Yara2 Comments

Salsa20 is a stream cipher used by various ransomware software: https://appuals.com/grandcrab-ransomware-v4-1-2-theft-prevented-with-salsa20-algorithm/https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.htmlhttps://www.acronis.com/en-us/articles/sodinokibi-ransomware/ I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125 This was able to detect Sodinokibi …

Continue reading 100 Days of YARA – Day 8: Salsa20