[Community-sigs] PyCL Ransomware

Christopher Marczewski cmarczewski at sourcefire.com
Thu Mar 30 15:15:44 EDT 2017 

Askar,

We decided to modify detection based on the signatures you wrote. The
absolute offsets in use would have limited the detection scope, & the
patterns used do not differentiate PyCL from other similar strings found in
other ransomware families. Although the write-up suggests that this initial
variant was no more than a test run, we always like to increase our chances
of alerting on new updates to the malware, hence the modifications.

The signatures include additional searches for plaintext we'd expect from
this ransomware (multiple instances of currency acronyms, etc.). They'll
published following a successful FP testing run.

Thanks again for your submissions.

On Thu, Mar 30, 2017 at 10:18 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Askar,
>
> Thank you for your submissions. These signatures are currently under
> review.
>
> We'll be sure to keep you posted.
>
> On Wed, Mar 29, 2017 at 4:33 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
> wrote:
>
>> Good day!
>>
>> There are few signatures for actual ransomware
>>
>> Info:
>> - https://www.bleepingcomputer.com/news/security/pycl-ransomwa
>> re-delivered-via-rig-ek-in-distribution-test/
>>
>> Samples:
>> - https://www.virustotal.com/en/file/80d402f38ff9849ea5e9f8a12
>> 6e00f423ca1b4f1121c8059aebed8336bfc6f30/analysis/
>> - https://www.virustotal.com/en/file/fc2f4904fa71ec4c1e3c73cba
>> c03a57d701409634e3a8a23b05d15edca28d7de/analysis/
>> - https://www.virustotal.com/en/file/b01d1230f31200a5f195b7f44
>> fcc552a71b9bfe131f7b8eccd2466eb66a952dc/analysis/
>> - https://www.virustotal.com/ru/file/379df8b4dccd7568204b91838
>> fe6ec35ec5516388d39500b5afcaf6809207879/analysis/
>>
>> 1. Signature for filecryptor (sha256: fc2f4904fa71ec4c1e3c73cbac03a5
>> 7d701409634e3a8a23b05d15edca28d7de) looks for specific string:
>> Win.Filecryptor.PyCL:1:29942:5C486F775F446563727970745F4D795
>> F46696C65735C696E6465782E68746D6C
>>
>> 2. Signature for ransomware's component (sha256:
>> b01d1230f31200a5f195b7f44fcc552a71b9bfe131f7b8eccd2466eb66a952dc) looks
>> for specific string:
>> Win.Agent.PyCL:1:538913:596F757220506572736F6E616C2046696C65
>> 732041726520456E63727970746564
>>
>> 3. Signature for bat-script (sha256: 379df8b4dccd7568204b91838fe6ec
>> 35ec5516388d39500b5afcaf6809207879) looks for specific piece of code:
>> Win.BAT.PyCL:7:84:6563686F20736C696E6B66696C65203D202225686F
>> 6D6564726976652525686F6D6570617468255C6465736B746F705C686F77
>> 2064656372797074206D792066696C65732E6C6E6B22
>>
>> Best regards,
>> Askar Dyussekeyev
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.832.2975 <(443)%20832-2975>
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list