I would like to suggest you the rules from any.run. Is it okay if the name is their name? I just have them now.
Link to sample:
where it sends one GET request.
Exfiltration was not found, perhaps it is in the encoded text, although a lot of data will not fit there. Tweet: https://twitter.com/Jane_0sint/status/1660916458447069184?s=20
alert http any any → any any (msg: “ET [ANY.RUN] GoodMorning Ransomware”;flow: established, to_server; urilen: >1000; content: “_And_Netword_Drive_Size:”; http_uri; content: “_Encryption_Mode”; http_uri; distance: 0; content: “GET”; http_method; content:!“User-Agent|3a|”; http_header; classtype: trojan-activity; metadata: malware_family GoodMorning_Ransomware, created_at 2023_05_21; sid: 1; rev: 1;)
Hey there @Jane0sint!
Thanks for sharing!
Is it okay if the name is their name?
This is no problem at all! The message in the published rule will read
ET MALWARE [ANY.RUN] GoodMorning Ransomware CnC Activity
I’ve got this added to go out in today’s release! I’ll update this message once the SID has been assigned.
** Assigned sid is: 2045821
Thanks again! Also, it’s great to see that you ended up over with Any.Run! Very exicting!
According to updated data, ransomware is a variant of void. https://twitter.com/rivitna2/status/1661111372128591878?s=20
Sounds good. I’ll get the msg updated in tomorrow release!
Another clarification, in the naming of the rules, thanks to the community. Now it’s RUCU64:)
Guys, you are the best!
Thanks Jane! Will take a look and get any updates out for todays release.
I noticed that the family was not changed in rule 2045821
Let’s change to RUCU64.
Done. This will reflect in today’s release. Thanks!