Jump to content

Block STOP DJVU Process

hari.senen
 Share

Recommended Posts

hari.senen

hari.senen 3

Posted
Posted

Hello,

i wanna block stop DJVU using EEI Rule Set

let's say they using this command 

C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask

and the executable 

 C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe

maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random

so i create the ruleset like this

  

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
            <operator type="AND">
                <condition component="FileItem" property="Extension" condition="is" value="exe" />
                <operator type="AND">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" />
                    <operator type="OR">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" />
                    <operator type="AND">
                        <condition component="LiveGrid" condition="less" property="Reputation" value="8" />
                        <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" />
                        <condition component="Enterprise" condition="isnot" property="Safe" value="1" />
                    </operator>
                    </operator>    
                </operator>
            </operator>
        </process>
    </definition>
    <description>
        <name>STOP DJVU Process</name>
        <explanation>
            This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware.
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
        <action name="CleanAndBlockProcessExecutable" />
    </actions>
</rule>

 

the second one block the process when this command executed 

command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)
command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)

so i create this 

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
                <operator type="AND">
                    <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" />
                </operator>    
        </process>
    </definition>
    <description>
        <name>STOP DJVU icacls Process</name>
        <explanation>
            This is stop djvu process use icacls process
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
    </actions>
</rule>

and the third one create registry key with this data 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper


  

data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart

but i still don't know how to create it.

 

my question is ?

  1. is the ruleset effective for stop djvu ransomware, if not is there another way ?
  2. how to create ruleset for registry in third one for djvu process
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...