Sometimes, filecoder malware uses a legitimate program to encrypt and delete user files. RAR archiver can be such a program, so we want to create a rule to monitor the execution of the RAR archiver with specific parameters used to encrypt the archive file and delete source files.
Rules
<?xml version="1.0" encoding="utf-8"?>
<rule>
<body>
<name>RAR encrypts and deletes files [B0601]</name>
<severity>Warning</severity>
<process>
<operator type="AND">
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="rar" />
<operator type="AND">
<operator type="OR">
<condition component="ProcessInfo" property="CommandLine" condition="contains" value="-p" />
<condition component="ProcessInfo" property="CommandLine" condition="contains" value="-hp" />
</operator>
<operator type="OR">
<condition component="ProcessInfo" property="CommandLine" condition="contains" value="-df" />
<condition component="ProcessInfo" property="CommandLine" condition="contains" value="-dw" />
</operator>
</operator>
</operator>
</process>
</body>
</rule>
|
Things to notice in the rule example above:
1.CommandLine property is used with condition contains to select only specific parameters and leave the rest of the command line arbitrary.
2.Conditions are combined with logical operators OR and AND to achieve the desired outcome.
