GoodMorning Ransomware

I would like to suggest you the rules from Is it okay if the name is their name? I just have them now.
Link to sample:

where it sends one GET request.
Exfiltration was not found, perhaps it is in the encoded text, although a lot of data will not fit there. Tweet:

alert http any any → any any (msg: “ET [ANY.RUN] GoodMorning Ransomware”;flow: established, to_server; urilen: >1000; content: “_And_Netword_Drive_Size:”; http_uri; content: “_Encryption_Mode”; http_uri; distance: 0; content: “GET”; http_method; content:!“User-Agent|3a|”; http_header; classtype: trojan-activity; metadata: malware_family GoodMorning_Ransomware, created_at 2023_05_21; sid: 1; rev: 1;)

1 Like

Hey there @Jane0sint!

Thanks for sharing!

Is it okay if the name is their name?

This is no problem at all! The message in the published rule will read ET MALWARE [ANY.RUN] GoodMorning Ransomware CnC Activity

I’ve got this added to go out in today’s release! I’ll update this message once the SID has been assigned.

** Assigned sid is: 2045821

Thanks again! Also, it’s great to see that you ended up over with Any.Run! Very exicting!


1 Like

According to updated data, ransomware is a variant of void.

1 Like

Sounds good. I’ll get the msg updated in tomorrow release!