GoodMorning Ransomware

Jane0sint · May 23, 2023, 8:35am

I would like to suggest you the rules from any.run. Is it okay if the name is their name? I just have them now.
Link to sample:

where it sends one GET request.
Exfiltration was not found, perhaps it is in the encoded text, although a lot of data will not fit there. Tweet: https://twitter.com/Jane_0sint/status/1660916458447069184?s=20

alert http any any → any any (msg: “ET [ANY.RUN] GoodMorning Ransomware”;flow: established, to_server; urilen: >1000; content: “_And_Netword_Drive_Size:”; http_uri; content: “_Encryption_Mode”; http_uri; distance: 0; content: “GET”; http_method; content:!“User-Agent|3a|”; http_header; classtype: trojan-activity; metadata: malware_family GoodMorning_Ransomware, created_at 2023_05_21; sid: 1; rev: 1;)

bmurphy · May 23, 2023, 4:56pm

Hey there @Jane0sint!

Thanks for sharing!

Is it okay if the name is their name?

This is no problem at all! The message in the published rule will read ET MALWARE [ANY.RUN] GoodMorning Ransomware CnC Activity

I’ve got this added to go out in today’s release! I’ll update this message once the SID has been assigned.

** Assigned sid is: 2045821

Thanks again! Also, it’s great to see that you ended up over with Any.Run! Very exicting!

-Brandon

Jane0sint · May 23, 2023, 9:10pm

According to updated data, ransomware is a variant of void. https://twitter.com/rivitna2/status/1661111372128591878?s=20

bmurphy · May 23, 2023, 10:36pm

Sounds good. I’ll get the msg updated in tomorrow release!