Jump to content

Block STOP DJVU Process


Recommended Posts

Hello,

i wanna block stop DJVU using EEI Rule Set

let's say they using this command

C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask

and the executable

 C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe

maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random

so i create the ruleset like this

 

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
            <operator type="AND">
                <condition component="FileItem" property="Extension" condition="is" value="exe" />
                <operator type="AND">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" />
                    <operator type="OR">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" />
                    <operator type="AND">
                        <condition component="LiveGrid" condition="less" property="Reputation" value="8" />
                        <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" />
                        <condition component="Enterprise" condition="isnot" property="Safe" value="1" />
                    </operator>
                    </operator>    
                </operator>
            </operator>
        </process>
    </definition>
    <description>
        <name>STOP DJVU Process</name>
        <explanation>
            This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware.
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
        <action name="CleanAndBlockProcessExecutable" />
    </actions>
</rule>

 

the second one block the process when this command executed

command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)
command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)

so i create this

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
                <operator type="AND">
                    <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" />
                </operator>    
        </process>
    </definition>
    <description>
        <name>STOP DJVU icacls Process</name>
        <explanation>
            This is stop djvu process use icacls process
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
    </actions>
</rule>

and the third one create registry key with this data

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper


 

data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart

but i still don't know how to create it.

 

my question is ?

  1. is the ruleset effective for stop djvu ransomware, if not is there another way ?
  2. how to create ruleset for registry in third one for djvu process
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...