[Community-sigs] Satan Ransomware RaaS downloader
Askar Dyussekeyev
dyussekeyev at yandex.kz
Sat Apr 1 16:41:21 EDT 2017
Hello!
There is simple logical signature for Satan Ransomware RaaS downloader (at RaaS website classified as "dropper"), that looks for specific strings (at HTML and TEXT format):
Win.Downloader.Satan.HTML;Engine:51-255,Target:3;0&1&2&3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;68696464656E;636F6D6D616E64;6E65772D6F626A656374;73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;7772697465616C6C6279746573;7368656C6C65786563757465
Win.Downloader.Satan.TXT;Engine:51-255,Target:7;0&1&2&3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;68696464656E;636F6D6D616E64;6E65772D6F626A656374;73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;7772697465616C6C6279746573;7368656C6C65786563757465
Best regards,
Askar
More information about the Community-sigs
mailing list