Yara Rule - Lockbit Intrusions에서 발견되는 법의학 인공물을 감지합니다
Yara 정의.
Yara Rule - Detects forensic artifacts found in LockBit intrusions
Yara definition.
Author: Florian Roth
https://objective-see.org/blog/blog_0x75.html
date = "2023-04-17"
score = 75
$xe1 = "-i '/path/to/crypt'" xor
$xe2 = "http://lockbit" xor
$s1 = "idelayinmin" ascii
$s2 = "bVMDKmode" ascii
$s3 = "bSelfRemove" ascii
$s4 = "iSpotMaximum" ascii
$fp1 = "<html"
date = "2023-04-17"
score = 75
$s1 = " is encrypted. Checksum after encryption "
$s2 = "~~~~~Hardware~~~~"
$s1 = "[+] Add directory to encrypt:
$s2 = "][+] Launch parameters: "
date = "2023-04-17"
score = 75
$x1 = "/tmp/locker.log" ascii fullword
$x2 = "Executable=LockBit/locker_" ascii
$xc1 = { 54 6F 72 20 42 72 6F 77 73 65 72 20 4C 69 6E 6B 73 3A 0D 0A 68 74 74 70 3A 2F 2F 6C 6F 63 6B 62 69 74 }```
[https://github.com/Neo23x0/signature-base/commit/3d960adf35873ff2a2bcc19b6671af9a3ff22e21](https://github.com/Neo23x0/signature-base/commit/3d960adf35873ff2a2bcc19b6671af9a3ff22e21)