{"group":"grief","count":1,"rules":[{"rule_name":"grief.yar","rule_text":"/*\n   YARA Rule Set\n   Author: TTC-CERT\n   Date: 2021-12-27\n   Identifier: Grief_ransomware_sample\n   Reference: TLP:WHITE\n*/\n\n/* Rule Set ----------------------------------------------------------------- */\n\nrule Grief_ransomware_sample_1 {\n   meta:\n      description = \"malware_sample - file Grief_ransomware_sample_1\"\n      author = \"TTC-CERT\"\n      reference = \"TLP:WHITE\"\n      date = \"2021-12-27\"\n      hash1 = \"b5c188e82a1dad02f71fcb40783cd8b910ba886acee12f7f74c73ed310709cd2\"\n   strings:\n      $s1 = \"jpmfrgpv55.dll\" fullword ascii\n      $s2 = \"i2rauh.dll\" fullword wide\n      $s3 = \"gppp2.pdb\" fullword ascii\n      $s4 = \"RusersLocalhousegXrelease\" fullword wide\n      $s5 = \"CKversionFqthecompany,ton.507\" fullword ascii\n      $s6 = \"nin-pageDscanningaccessHiconremoved.tests\" fullword ascii\n      $s7 = \"5.1.0000.00\" fullword wide /* hex encoded string 'Q' */\n      $s8 = \"rstablea\" fullword ascii\n      $s9 = \"provider.catalogWh\" fullword wide\n      $s10 = \"11releasedscorpioqenableTranslate.AdeemedY\" fullword ascii\n      $s11 = \"SLmorespeedChrome.professorseriousdthe\" fullword ascii\n      $s12 = \"replaceZ.ZChromethew\" fullword ascii\n      $s13 = \"adsweetandFlashaReleasej\" fullword wide\n      $s14 = \"guimplementedT.austin\" fullword wide\n      $s15 = \"theGharmful.TbOmniboxtabs.68from\" fullword wide\n      $s16 = \"RCWklT6\" fullword ascii\n      $s17 = \"kXllYE6\" fullword ascii\n      $s18 = \"CLDig40\" fullword ascii\n      $s19 = \"JIXllT8\" fullword ascii\n      $s20 = \"suchlvvlaurenFusing5\" fullword wide\n   condition:\n      uint16(0) == 0x5a4d and filesize < 700KB and\n      8 of them\n}\n\nrule Grief_ransomware_sample_2 {\n   meta:\n      description = \"malware_sample - file Grief_ransomware_sample_2\"\n      author = \"TTC-CERT\"\n      reference = \"TLP:WHITE\"\n      date = \"2021-12-27\"\n      hash1 = \"dda4598f29a033d2ec4f89f4ae687e12b927272462d25ca1b8dec4dc0acb1bec\"\n   strings:\n      $s1 = \"llkoplo44.dll\" fullword ascii\n      $s2 = \"o2iual.dll\" fullword wide\n      $s3 = \"identifiesdownloadingyankeesp\" fullword ascii\n      $s4 = \"fffprT.pdb\" fullword ascii\n      $s5 = \"process-allocationbFrenchdifferenceqprofessorqthe\" fullword ascii\n      $s6 = \"andaabove.93OSdialog.11112be2ny\" fullword ascii\n      $s7 = \"5.2.0000.00\" fullword wide /* hex encoded string 'R' */\n      $s8 = \"hhphaseopt\" fullword ascii\n      $s9 = \": :$:(:,:0:4:8:D:H:L:P:T:X:\\\\:`:\" fullword ascii\n      $s10 = \"dFmLfeatures.shortenedofficialic\" fullword ascii\n      $s11 = \":(:,:0:4:T:X:\\\\:`:d:h:l:p:t:x:\" fullword ascii\n      $s12 = \"has2ZPatriciafextensionsextensions.standardization\" fullword ascii\n      $s13 = \"23.featuresThesevixVuser\" fullword ascii\n      $s14 = \"Cnewjas\" fullword ascii\n      $s15 = \"foundRffZin0\" fullword ascii\n      $s16 = \"Bgtikmf44\" fullword ascii\n      $s17 = \"thedeserveS\" fullword ascii\n      $s18 = \"aPpopularsthe30fBW\" fullword ascii\n      $s19 = \"waszNthey\" fullword ascii\n      $s20 = \"1\u001f2,2t2\" fullword ascii /* Goodware String - occured 1 times */\n   condition:\n      uint16(0) == 0x5a4d and filesize < 700KB and\n      8 of them\n}\n\nrule Grief_ransomware_sample_3 {\n   meta:\n      description = \"malware_sample - file Grief_ransomware_sample_3\"\n      author = \"TTC-CERT\"\n      reference = \"TLP:WHITE\"\n      date = \"2021-12-27\"\n      hash1 = \"0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0\"\n   strings:\n      $s1 = \"ppdonummdov.dll\" fullword ascii\n      $s2 = \"u2tnat.dll\" fullword wide\n      $s3 = \"gppp2.pdb\" fullword ascii\n      $s4 = \"RusersLocalhousegXrelease\" fullword wide\n      $s5 = \"CKversionFqthecompany,ton.507\" fullword ascii\n      $s6 = \"nin-pageDscanningaccessHiconremoved.tests\" fullword ascii\n      $s7 = \"rstablea\" fullword ascii\n      $s8 = \"provider.catalogWh\" fullword wide\n      $s9 = \"\\\"zfyr* i\" fullword ascii\n      $s10 = \"11releasedscorpioqenableTranslate.AdeemedY\" fullword ascii\n      $s11 = \"SLmorespeedChrome.professorseriousdthe\" fullword ascii\n      $s12 = \"replaceZ.ZChromethew\" fullword ascii\n      $s13 = \"adsweetandFlashaReleasej\" fullword wide\n      $s14 = \"guimplementedT.austin\" fullword wide\n      $s15 = \"theGharmful.TbOmniboxtabs.68from\" fullword wide\n      $s16 = \"AC1t:\\\"\" fullword ascii\n      $s17 = \"suchlvvlaurenFusing5\" fullword wide\n      $s18 = \"ownpblockingoutsideCI9\" fullword wide\n      $s19 = \"LYacross\" fullword ascii\n      $s20 = \"forGooglelthemoremwas\" fullword ascii\n   condition:\n      uint16(0) == 0x5a4d and filesize < 700KB and\n      8 of them\n}\n\nrule Grief_ransomware_sample_4 {\n   meta:\n      description = \"malware_sample - file Grief_ransomware_sample_4\"\n      author = \"TTC-CERT\"\n      reference = \"TLP:WHITE\"\n      date = \"2021-12-27\"\n      hash1 = \"b21ad8622623ce4bcdbf8c5794ef93e2fb6c46cd202d70dbeb088ea6ca4ff9c8\"\n   strings:\n      $s1 = \"gpnh76.dll\" fullword ascii\n      $s2 = \"a2ndit.dll\" fullword wide\n      $s3 = \"identifiesdownloadingyankeesp\" fullword ascii\n      $s4 = \"fffprT.pdb\" fullword ascii\n      $s5 = \"process-allocationbFrenchdifferenceqprofessorqthe\" fullword ascii\n      $s6 = \"andaabove.93OSdialog.11112be2ny\" fullword ascii\n      $s7 = \"2.6.0000.00\" fullword wide /* hex encoded string '&' */\n      $s8 = \"hhphaseopt\" fullword ascii\n      $s9 = \": :$:(:,:0:4:8:D:H:L:P:T:X:\\\\:`:\" fullword ascii\n      $s10 = \"dFmLfeatures.shortenedofficialic\" fullword ascii\n      $s11 = \"has2ZPatriciafextensionsextensions.standardization\" fullword ascii\n      $s12 = \"23.featuresThesevixVuser\" fullword ascii\n      $s13 = \"Cnewjas\" fullword ascii\n      $s14 = \"foundRffZin0\" fullword ascii\n      $s15 = \"DpmoFgrt0\" fullword ascii\n      $s16 = \"thedeserveS\" fullword ascii\n      $s17 = \"aPpopularsthe30fBW\" fullword ascii\n      $s18 = \"waszNthey\" fullword ascii\n      $s19 = \"GoogleassholeheJmadee44y\" fullword ascii\n      $s20 = \"ChromeBZSouthone.\" fullword ascii\n   condition:\n      uint16(0) == 0x5a4d and filesize < 500KB and\n      8 of them\n}\n\n/* Super Rules ------------------------------------------------------------- */\n\nrule _Grief_ransomware_sample_1_Grief_ransomware_sample_3_0 {\n   meta:\n      description = \"malware_sample - from files Grief_ransomware_sample_1, Grief_ransomware_sample_3\"\n      author = \"TTC-CERT\"\n      reference = \"TLP:WHITE\"\n      date = \"2021-12-27\"\n      hash1 = \"b5c188e82a1dad02f71fcb40783cd8b910ba886acee12f7f74c73ed310709cd2\"\n      hash2 = \"0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0\"\n   strings:\n      $s1 = \"gppp2.pdb\" fullword ascii\n      $s2 = \"RusersLocalhousegXrelease\" fullword wide\n      $s3 = \"CKversionFqthecompany,ton.507\" fullword ascii\n      $s4 = \"nin-pageDscanningaccessHiconremoved.tests\" fullword ascii\n      $s5 = \"rstablea\" fullword ascii\n      $s6 = \"provider.catalogWh\" fullword wide\n      $s7 = \"11releasedscorpioqenableTranslate.AdeemedY\" fullword ascii\n      $s8 = \"SLmorespeedChrome.professorseriousdthe\" fullword ascii\n      $s9 = \"replaceZ.ZChromethew\" fullword ascii\n      $s10 = \"adsweetandFlashaReleasej\" fullword wide\n      $s11 = \"guimplementedT.austin\" fullword wide\n      $s12 = \"theGharmful.TbOmniboxtabs.68from\" fullword wide\n      $s13 = \"suchlvvlaurenFusing5\" fullword wide\n      $s14 = \"ownpblockingoutsideCI9\" fullword wide\n      $s15 = \"LYacross\" fullword ascii\n      $s16 = \"forGooglelthemoremwas\" fullword ascii\n      $s17 = \"tUuOWhileK\" fullword ascii\n      $s18 = \"ssuggestions,kOprogressesSecurityvulnerabilities\" fullword ascii\n      $s19 = \"92AninetheuHstablesofficial\" fullword ascii\n      $s20 = \"vcoordinatedmGoogle\" fullword ascii\n   condition:\n      ( uint16(0) == 0x5a4d and filesize < 700KB and ( 8 of them )\n      ) or ( all of them )\n}\n\nrule _Grief_ransomware_sample_2_Grief_ransomware_sample_4_1 {\n   meta:\n      description = \"malware_sample - from files Grief_ransomware_sample_2, Grief_ransomware_sample_4\"\n      author = \"TTC-CERT\"\n      reference = \"TLP:WHITE\"\n      date = \"2021-12-27\"\n      hash1 = \"dda4598f29a033d2ec4f89f4ae687e12b927272462d25ca1b8dec4dc0acb1bec\"\n      hash2 = \"b21ad8622623ce4bcdbf8c5794ef93e2fb6c46cd202d70dbeb088ea6ca4ff9c8\"\n   strings:\n      $s1 = \"identifiesdownloadingyankeesp\" fullword ascii\n      $s2 = \"fffprT.pdb\" fullword ascii\n      $s3 = \"process-allocationbFrenchdifferenceqprofessorqthe\" fullword ascii\n      $s4 = \"andaabove.93OSdialog.11112be2ny\" fullword ascii\n      $s5 = \"hhphaseopt\" fullword ascii\n      $s6 = \": :$:(:,:0:4:8:D:H:L:P:T:X:\\\\:`:\" fullword ascii\n      $s7 = \"dFmLfeatures.shortenedofficialic\" fullword ascii\n      $s8 = \"has2ZPatriciafextensionsextensions.standardization\" fullword ascii\n      $s9 = \"23.featuresThesevixVuser\" fullword ascii\n      $s10 = \"Cnewjas\" fullword ascii\n      $s11 = \"foundRffZin0\" fullword ascii\n      $s12 = \"thedeserveS\" fullword ascii\n      $s13 = \"aPpopularsthe30fBW\" fullword ascii\n      $s14 = \"waszNthey\" fullword ascii\n      $s15 = \"GoogleassholeheJmadee44y\" fullword ascii\n      $s16 = \"ChromeBZSouthone.\" fullword ascii\n      $s17 = \"PageGdoa9such\" fullword ascii\n      $s18 = \"b8WChromethat2012Gandq37\" fullword ascii\n      $s19 = \"Omniboxthe1wviaetoremoved.\" fullword ascii\n      $s20 = \"Afterthroughevangelist,atheDvnT\" fullword ascii\n   condition:\n      ( uint16(0) == 0x5a4d and filesize < 700KB and ( 8 of them )\n      ) or ( all of them )\n}","sha256":"63e6de6d9c04db7163bd66125fddb0bb9b99ddec22e1c18874957e97a178e474","byte_size":9179,"updated_at":"2026-06-24 05:16:01"}]}