Concrete signature match: Worm - Self-replicating malware for 32-bit Windows platform, family Ganelp
Worm:Win32/Ganelp is a confirmed, highly malicious worm that employs advanced techniques for persistence and execution. It leverages legitimate Windows utilities such as mshta, regsvr32, rundll32, PowerShell, and BITS jobs to execute code, establish persistence via scheduled tasks, perform process hooking, encode data, and facilitate remote file copying for propagation and further compromise.
Relevant strings associated with this threat: - n2lr3leldke. (PEHSTR_EXT) - \Ad\config.ini (PEHSTR_EXT) - c:\windows\friendl.dll (PEHSTR_EXT) - +d+k0U.dll.dll (PEHSTR_EXT) - E)/eW (SNID) - 5vc.l (SNID) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
rule Worm_Win32_Ganelp_B_2147645589_0
{
meta:
author = "threatcheck.sh"
detection_name = "Worm:Win32/Ganelp.B"
threat_id = "2147645589"
type = "Worm"
platform = "Win32: Windows 32-bit platform"
family = "Ganelp"
severity = "Critical"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "8"
strings_accuracy = "Low"
strings:
$x_1_1 = {50 41 65 74 63 72 65 6f 64 73 47 72 64 73 00} //weight: 1, accuracy: High
$x_1_2 = {6e 32 6c 72 33 6c 65 6c 64 6b 65 2e 00} //weight: 1, accuracy: High
$x_1_3 = {62 72 6f 46 6c 6c 65 47 61 65 00} //weight: 1, accuracy: High
$x_1_4 = {62 6c 6f 41 63 6c 6c 6f 47 61 6c 00} //weight: 1, accuracy: High
$x_1_5 = {46 53 74 65 65 65 6c 7a 47 69 69 00} //weight: 1, accuracy: High
$x_1_6 = {61 6f 65 32 70 74 65 54 68 33 61 6f 72 65 6c 70 6e 68 43 74 6f 6c 53 73 00} //weight: 1, accuracy: High
$x_6_7 = {8b f4 8b 95 d0 fe ff ff 52 ff 15 ?? ?? ?? ?? 3b f4 e8 ?? ?? ?? ?? 89 85 cc fe ff ff 83 bd cc fe ff ff 02 0f 85 ?? ?? ?? ?? 8d 85 54 fa ff ff 50 8b 8d d0 fe ff ff 51 e8 ?? ?? ?? ?? 83 c4 08 89 85 c4 fe ff ff 8d 95 54 fa ff ff 89 95 50 fa ff ff 8b 85 d0 fe ff ff 50 8d 8d 60 fe ff ff 51 e8 76 1e 00 00 83 c4 08 6a 00 68 40 75 42 00 8d 95 54 fe ff ff 52 e8} //weight: 6, accuracy: Low
condition:
(filesize < 20MB) and
(
((1 of ($x_6_*) and 2 of ($x_1_*))) or
(all of ($x*))
)
}cea5fef0029ba8ec3beb4563b94fab04f4c1118a57a9f30f0c8f58c3bd686334Immediately isolate the infected system to prevent further spread. Perform a full system scan with an updated anti-malware solution to remove all detected components. Investigate the system for persistence mechanisms (e.g., scheduled tasks, registry run keys, BITS jobs) and indicators of lateral movement. Patch all systems, enforce strong access controls, and monitor network activity for any suspicious behavior.