GoodMorning Ransomware

I would like to suggest you the rules from any.run. Is it okay if the name is their name? I just have them now.
Link to sample:

where it sends one GET request.
Exfiltration was not found, perhaps it is in the encoded text, although a lot of data will not fit there. Tweet: https://twitter.com/Jane_0sint/status/1660916458447069184?s=20

alert http any any → any any (msg: “ET [ANY.RUN] GoodMorning Ransomware”;flow: established, to_server; urilen: >1000; content: “_And_Netword_Drive_Size:”; http_uri; content: “_Encryption_Mode”; http_uri; distance: 0; content: “GET”; http_method; content:!“User-Agent|3a|”; http_header; classtype: trojan-activity; metadata: malware_family GoodMorning_Ransomware, created_at 2023_05_21; sid: 1; rev: 1;)

Hey there @Jane0sint!

Thanks for sharing!

Is it okay if the name is their name?

This is no problem at all! The message in the published rule will read ET MALWARE [ANY.RUN] GoodMorning Ransomware CnC Activity

I’ve got this added to go out in today’s release! I’ll update this message once the SID has been assigned.

** Assigned sid is: 2045821

Thanks again! Also, it’s great to see that you ended up over with Any.Run! Very exicting!

-Brandon

According to updated data, ransomware is a variant of void. https://twitter.com/rivitna2/status/1661111372128591878?s=20

Sounds good. I’ll get the msg updated in tomorrow release!

Another clarification, in the naming of the rules, thanks to the community. Now it’s RUCU64:)

Guys, you are the best!

Thanks Jane! Will take a look and get any updates out for todays release.

JT

I noticed that the family was not changed in rule 2045821
malware_family Void_Ransomware,
Let’s change to RUCU64.
Jane

Done. This will reflect in today’s release. Thanks!