Jump to content

Block STOP DJVU Process


Recommended Posts

Hello,

i wanna block stop DJVU using EEI Rule Set

let's say they using this command

C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask

and the executable

 C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe

maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random

so i create the ruleset like this

 

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
            <operator type="AND">
                <condition component="FileItem" property="Extension" condition="is" value="exe" />
                <operator type="AND">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" />
                    <operator type="OR">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" />
                    <operator type="AND">
                        <condition component="LiveGrid" condition="less" property="Reputation" value="8" />
                        <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" />
                        <condition component="Enterprise" condition="isnot" property="Safe" value="1" />
                    </operator>
                    </operator>    
                </operator>
            </operator>
        </process>
    </definition>
    <description>
        <name>STOP DJVU Process</name>
        <explanation>
            This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware.
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
        <action name="CleanAndBlockProcessExecutable" />
    </actions>
</rule>

 

the second one block the process when this command executed

command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)
command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)

so i create this

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
                <operator type="AND">
                    <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" />
                </operator>    
        </process>
    </definition>
    <description>
        <name>STOP DJVU icacls Process</name>
        <explanation>
            This is stop djvu process use icacls process
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
    </actions>
</rule>

and the third one create registry key with this data

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper


 

data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart

but i still don't know how to create it.

 

my question is ?

  1. is the ruleset effective for stop djvu ransomware, if not is there another way ?
  2. how to create ruleset for registry in third one for djvu process
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...