Highlighted
Aleks Super Contributor.
Super Contributor.
2408 views

SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

Labels (3)
6 Replies
subindbabu Honored Contributor.
Honored Contributor.

Re: SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

Hi Aleks,

As checked , the update on 1.4 , included latest IOC's. If i am installing this .arb , my previous customized configuration on same rule , will need to do it again right ?

--SUBIN--

--SUBIN--
subindbabu Honored Contributor.
Honored Contributor.

Re: SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

Can you please give , only latest IOC's list . So this will be helpful for us to update the corresponding Active lists.

--SUBIN--
0 Likes
Aleks Super Contributor.
Super Contributor.

Re: SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

Hi Subin,

Just added hostnames of known wannacry sites. Created one more list "WannaCry Hostnames" and added condition to Rule. And yes, your filters and conditions will be reset to default. You can backup your conditions and actions to another new rule and after upgrade copy back to rules in updated package.

See screenshot what has changed:

HostName,C2Source,Comments

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com,,Kill-switch domains

www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com,,Kill-switch domains

57g7spgrzlojinas.onion,,C2 server

76jdd2ir2embyv47.onion,,C2 server

cwwnhwhlz52ma.onion,,C2 server

gx7ekbenv2riucmf.onion,,C2 server

sqjolphimrr7jqw6.onion,,C2 server

xxlvbrloxvriy2c5.onion,,C2 server

0 Likes
subindbabu Honored Contributor.
Honored Contributor.

Re: SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

I have just editted and added host names in above mentioned Rule

--SUBIN--
0 Likes
tugcekrky1 Frequent Contributor.
Frequent Contributor.

Re: SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

Hi Alex,

This is very helpful to play with our resources for tracing wannacry. I have just modified the filters, defined our exceptions. It is going well.. I will look forward to hearing any updates from you.

Thank you too much!

Tugce

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: SOC_Prime_WannaCry_Ransomware_Worm_Detector_1.4.arb

Hi Tugce,

Thank you for your feedback. I really appreciate it

In case you have any questions please look on description of rules here:

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.