Closed seanthegeek closed 9 years ago
This was due to some similarities in these samples buffers from CryptHashdata. Both of them appear to have the computer name at the beginning of the buffer. I added an additional check to prevent the CryptoWall api's from triggering that detection.
Thanks!
The Dyre behaviour signature is triggered by a CryptoWall sample (bd92d129509701465c005bf3e531b606). It looks like they generate random named pipe names in a similar way.
This causes the malfamily to be incorrectly identified as Dyre. I don't have a large library of Dyre samples, so I'm not sure if/how the regex can be tweaked. Or, since this tatic may be more common, maybe preferring Suri names for malfamily would be a better workaround? The ET C2 rules have been very reliable in my experience.