[Community-sigs] PyCL Ransomware

Christopher Marczewski cmarczewski at sourcefire.com
Thu Mar 30 15:17:49 EDT 2017 

While they're FP testing, I figured I'd post the signatures in their
current form:

Win.Ransomware.PyCL;Engine:51-255,Target:1;(0>1)&(1>10)&((2&3)>3);486f775f446563727970745f4d795f46696c6573;005079;627463;757364
Win.Ransomware.PyCL;Engine:51-255,Target:1;0&((1&2&3&4)>5);6274633d;425443;555344;63727970746564;6b6579

VIRUS NAME: Win.Ransomware.PyCL
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: (0>1)&(1>10)&((2&3)>3)
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
How_Decrypt_My_Files
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
Py
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
btc
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
usd

VIRUS NAME: Win.Ransomware.PyCL
TDB: Engine:51-255,Target:1
LOGICAL EXPRESSION: 0&((1&2&3&4)>5)
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
btc=
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
BTC
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
USD
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
crypted
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
key


On Thu, Mar 30, 2017 at 3:15 PM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Askar,
>
> We decided to modify detection based on the signatures you wrote. The
> absolute offsets in use would have limited the detection scope, & the
> patterns used do not differentiate PyCL from other similar strings found in
> other ransomware families. Although the write-up suggests that this initial
> variant was no more than a test run, we always like to increase our chances
> of alerting on new updates to the malware, hence the modifications.
>
> The signatures include additional searches for plaintext we'd expect from
> this ransomware (multiple instances of currency acronyms, etc.). They'll
> published following a successful FP testing run.
>
> Thanks again for your submissions.
>
> On Thu, Mar 30, 2017 at 10:18 AM, Christopher Marczewski <
> cmarczewski at sourcefire.com> wrote:
>
>> Askar,
>>
>> Thank you for your submissions. These signatures are currently under
>> review.
>>
>> We'll be sure to keep you posted.
>>
>> On Wed, Mar 29, 2017 at 4:33 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz
>> > wrote:
>>
>>> Good day!
>>>
>>> There are few signatures for actual ransomware
>>>
>>> Info:
>>> - https://www.bleepingcomputer.com/news/security/pycl-ransomwa
>>> re-delivered-via-rig-ek-in-distribution-test/
>>>
>>> Samples:
>>> - https://www.virustotal.com/en/file/80d402f38ff9849ea5e9f8a12
>>> 6e00f423ca1b4f1121c8059aebed8336bfc6f30/analysis/
>>> - https://www.virustotal.com/en/file/fc2f4904fa71ec4c1e3c73cba
>>> c03a57d701409634e3a8a23b05d15edca28d7de/analysis/
>>> - https://www.virustotal.com/en/file/b01d1230f31200a5f195b7f44
>>> fcc552a71b9bfe131f7b8eccd2466eb66a952dc/analysis/
>>> - https://www.virustotal.com/ru/file/379df8b4dccd7568204b91838
>>> fe6ec35ec5516388d39500b5afcaf6809207879/analysis/
>>>
>>> 1. Signature for filecryptor (sha256: fc2f4904fa71ec4c1e3c73cbac03a5
>>> 7d701409634e3a8a23b05d15edca28d7de) looks for specific string:
>>> Win.Filecryptor.PyCL:1:29942:5C486F775F446563727970745F4D795
>>> F46696C65735C696E6465782E68746D6C
>>>
>>> 2. Signature for ransomware's component (sha256:
>>> b01d1230f31200a5f195b7f44fcc552a71b9bfe131f7b8eccd2466eb66a952dc) looks
>>> for specific string:
>>> Win.Agent.PyCL:1:538913:596F757220506572736F6E616C2046696C65
>>> 732041726520456E63727970746564
>>>
>>> 3. Signature for bat-script (sha256: 379df8b4dccd7568204b91838fe6ec
>>> 35ec5516388d39500b5afcaf6809207879) looks for specific piece of code:
>>> Win.BAT.PyCL:7:84:6563686F20736C696E6B66696C65203D202225686F
>>> 6D6564726976652525686F6D6570617468255C6465736B746F705C686F77
>>> 2064656372797074206D792066696C65732E6C6E6B22
>>>
>>> Best regards,
>>> Askar Dyussekeyev
>>> _______________________________________________
>>> Community-sigs mailing list
>>> Community-sigs at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>>
>> --
>> --
>> Christopher Marczewski
>> Research Engineer
>> Talos Group
>> cmarczewski at sourcefire.com
>> Phone: 443.832.2975 <(443)%20832-2975>
>>
>
>
>
> --
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.832.2975 <(443)%20832-2975>
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list