[Community-sigs] Signature for UPX packed file
Askar Dyussekeyev
dyussekeyev at yandex.kz
Thu Mar 30 14:53:26 EDT 2017
Hello!
I 'm trying to create signature for DotRansomware RaaS, but clamscan can't detect signature of UPX-packed file.
Here is my problem's explanation, what I'm doing wrong?
>upx.exe -t 1.bin
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.93w Markus Oberhumer, Laszlo Molnar & John Reiser Jan 29th 2017
testing 1.bin [OK]
Tested 1 file.
>upx.exe -d -o 1_unpacked_.bin 1.bin
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.93w Markus Oberhumer, Laszlo Molnar & John Reiser Jan 29th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
1041299 <- 549267 52.75% win32/pe 1_unpacked_.bin
Unpacked 1 file.
>D:\soft\clamav\clamscan.exe --version
ClamAV 0.99.2
>D:\soft\clamav\clamscan.exe -d sig.ndb 1*
.\1.bin: OK
.\1_unpacked.bin: Win.Filecryptor.dotRansomware.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 2
Infected files: 1
Data scanned: 1.67 MB
Data read: 1.52 MB (ratio 1.10:1)
Time: 0.051 sec (0 m 0 s)
Files:
1.bin - 002438064BAA3F4E2AB7E7A5128AB1E1 (DotRansomware RaaS sample)
1_unpacked.bin - 3732134580F6E646C7C9EAC2D26F4437 (unpacked sample)
sig.ndb: Win.Filecryptor.dotRansomware:1:13223:518D8D4CFFFFFF515353575353536880054E0050FFD6837DE8088B45D473038D45D48D4DC0518D8D4CFFFFFF5153535753535368D0054E0050FFD6837DE8088B45D473038D45D48D4DC0518D8D4CFFFFFF515353575353536830064E0050FFD6536A018D4DD0E883080000536A018D4DA4E8C80700008B4DF45F5E64890D000000005BC9C3
Best regards,
Askar
More information about the Community-sigs
mailing list