Skip to content

Commit

Permalink
Merge branch 'cactus-ransomware' into 'master'
Browse files Browse the repository at this point in the history 
New Query: Cactus Ransomware Mutex

See merge request malware-team/osquery_queries!321
  • Loading branch information
@cmarczew
cmarczew committed Aug 23, 2024
2 parents 970639e + c32047c commit ad615e1
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 0 deletions.
9 changes: 9 additions & 0 deletions packs/win_malware.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,15 @@
"windows"
]
},
"cactus_ransomware_mutex": {
"query": "SELECT object_name, object_type FROM winbaseobj WHERE object_type='Mutant' AND object_name LIKE '%cAcTuS'",
"interval": 86400,
"snapshot": true,
"description": "A mutex associated with Cactus ransomware was detected. Cactus is a ransomware operation that began to rise to prominence in late 2023. Threat Actors using Cactus have demanded payment to recover the encrypted files and threaten public disclosure of stolen files if victims do not pay.",
"platform": [
"windows"
]
},
"malware_njrat_filepath": {
"query": "SELECT key, path, name, data, datetime(mtime, 'unixepoch', 'UTC') as last_modified FROM registry WHERE key LIKE 'HKEY_USERS\\%\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN' AND name LIKE regex_match(name, '[a-f0-9]{32}', 0) AND data LIKE regex_match(data, '.*\\\\AppData\\\\Local\\\\Temp\\\\(svchost|system)\\.exe', 0); ",
"interval": 86400,
Expand Down
14 changes: 14 additions & 0 deletions win_malware/cactus_ransomware_mutex.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
cactus_ransomware_mutex:
query: 'SELECT object_name, object_type FROM winbaseobj WHERE object_type="Mutant" AND object_name LIKE "%cAcTuS"'
interval: 86400
snapshot: true
description: A mutex associated with Cactus ransomware was detected. Cactus is a ransomware operation that began to rise to prominence in late 2023. Threat Actors using Cactus have demanded payment to recover the encrypted files and threaten public disclosure of stolen files if victims do not pay.
references:
- https://www.shadowstackre.com/analysis/cactus
- https://www.virustotal.com/gui/file/c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a
mitre_tactics:
- Impact: TA0040
mitre_techniques:
- Data Encrypted for Impact: T1486
platform:
- windows

0 comments on commit ad615e1

Please sign in to comment.