Yara Rules for Ransomware group  zeppelin

/*
Zeppelin / Buran ransomware
*/


rule Zeppelin
{
    meta:
        author = "rivitna"
        family = "ransomware.zeppelin.windows"
        description = "Zeppelin / Buran ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $s0 = "\x09TZeppelin" ascii
        $s1 = "\x07TKeyObj" ascii
        $s2 = "\x07TReadme" ascii
        $s3 = "\x0FTExcludeFolders" ascii
        $s4 = "\x0DTExcludeFiles" ascii
        $s5 = "\x09TSearcher" ascii
        $s6 = "\x0BTTaskKiller" ascii
        $s7 = "\x10TDrivesAndShares" ascii
        $s8 = "\x00!!! D !!!" ascii
        $s9 = "\x00!!! LOCALPUBKEY !!!" ascii
        $s10 = "\x00!!! ENCLOCALPRIVKEY !!!" ascii

        $h0 = { 80 38 00 74 0C BE 00 00 10 00 BB 00 00 01 00 EB 0A
                BE 00 00 04 00 BB 00 40 00 00 }
        $h1 = { 0F B7 C0 A3 [4] 81 3D [4] 22 04 00 00 74 24
                81 3D [4] 23 04 00 00 74 18 81 3D [4] 19 04 00 00
                74 0C 81 3D [4] 3F 04 00 00 75 }
        $h2 = { A3 [4] 83 3D [4] 07 74 18 81 3D [4] 77 01 00 00
                74 0C 81 3D [4] 7C 01 00 00 75 }
        $h3 = { E8 [3] FF 3D 6F A8 3D 2F 0F 94 45 }
        $h4 = "8D9A1F76-A705-426D-8722-CCD4F4263E2C" ascii

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (4 of ($s*)) and (1 of ($h*))
        )
}