Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii
Strings decoded from the newer version of #EKANS ransomware.
import re
import sys
import pefile
import struct
import binascii
#Source Blog Post | |
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a | |
--- | |
#Yara Rules | |
--- | |
rule WinntiLinux_Dropper : azazel_fork | |
{ | |
meta: | |
desc = "Detection of Linux variant of Winnti" |
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
$> brew install openssl | |
$> brew install swig | |
$> env LDFLAGS="-L$(brew --prefix openssl)/lib" \ | |
CFLAGS="-I$(brew --prefix openssl)/include" \ | |
SWIG_FEATURES="-cpperraswarn -includeall -I$(brew --prefix openssl)/include" \ | |
pip install m2crypto |
#!/bin/bash | |
(strings -a -td "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 A \2/' ; strings -a -td -el "$@" | sed 's/^\(\s*[0-9][0-9]*\) \(.*\)$/\1 W \2/') | sort -n |