Merge pull request Yara-Rules#299 from mikesxrs/patch-11

Create MALW_Monero_Miner_installer.yar
k0ko380 · Feb 6, 2018 · 776a1f0 · 776a1f0
2 parents c5d2a96 + 6cca973
commit 776a1f0
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/malware/MALW_Monero_Miner_installer.yar b/malware/MALW_Monero_Miner_installer.yar
@@ -0,0 +1,35 @@
+rule nkminer_monero {
+
+ meta:
+
+ description = "Detects installer of Monero miner that points to a NK domain"
+
+ author = "[email protected]"
+
+ reference = "https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner"
+
+ tlp = "white"
+
+ license = "MIT License"
+
+ strings:
+
+ $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii
+
+ $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii
+
+ $c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii
+
+ $d = "C:\\SoftwaresInstall\\soft" nocase wide ascii
+
+ $e = "C:\\Windows\\Sys64\\intelservice.exe" nocase wide ascii
+
+ $f = "C:\\Windows\\Sys64\\updater.exe" nocase wide ascii
+
+ $g = "C:\\Users\\Jawhar\\documents\\" nocase wide ascii
+
+ condition:
+
+ any of them
+
+}