Contact us Buy Me a Coffee

Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks

YARA Rule: WannCry_m_vbs.yar

Group: Wannacry
Valid Rule

rule WannCry_m_vbs
{
	meta:
		description = "Detects WannaCry Ransomware VBS"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "https://goo.gl/HG2j5T"
		date = "2017-05-12"
		hash1 = "51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b"
		id = "a8f13bd2-984d-5c8c-ac53-7d442e222850"

	strings:
		$x1 = ".TargetPath = \"C:\\@" ascii
		$x2 = ".CreateShortcut(\"C:\\@" ascii
		$s3 = " = WScript.CreateObject(\"WScript.Shell\")" ascii

	condition:
		( uint16( 0 ) == 0x4553 and filesize < 1KB and all of them )
}