From f42a43e31f8b4bce5edcc4283c05d3b648601718 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Tue, 24 Feb 2026 21:17:13 +0000
Subject: [PATCH 1/3] Add ransomware extension hijacking detection signature

---
 .../windows/ransomware_extensionhijack.py     | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 modules/signatures/windows/ransomware_extensionhijack.py

diff --git a/modules/signatures/windows/ransomware_extensionhijack.py b/modules/signatures/windows/ransomware_extensionhijack.py
new file mode 100644
index 00000000..13fcf6d3
--- /dev/null
+++ b/modules/signatures/windows/ransomware_extensionhijack.py
@@ -0,0 +1,51 @@
+# Copyright (C) 2026 Kevin Ross
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from lib.cuckoo.common.abstracts import Signature
+
+class RansomwareSetsIcon(Signature):
+    name = "ransomware_sets_icon"
+    description = "Modifies registry keys for file-extension hijacking, possible ransomware behavior"
+    severity = 3
+    categories = ["ransomware"]
+    authors = ["Kevin Ross"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1486", "T1564"] 
+    mbcs = ["OB0008", "E1486"]
+
+    filter_apinames = {"RegSetValueExA", "RegSetValueExW"}
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.ret = False
+        
+    def on_call(self, call, process):
+        filepath = self.get_argument(call, "Buffer")         
+        regkey = self.get_argument(call, "FullName")
+        
+        if isinstance(filepath, str) and isinstance(regkey, str):
+            filepath_lower = filepath.lower()
+            regkey_lower = regkey.lower()
+            
+            is_icon_hijack = filepath_lower.endswith(".ico") and (r"\defaulticon" in regkey_lower or r"\applications" in regkey_lower)
+            is_userchoice_hijack = r"\userchoice" in regkey_lower
+            
+            if is_icon_hijack or is_userchoice_hijack:
+                self.mark_call()
+                self.ret = True
+
+    def on_complete(self):
+        return self.ret

From 42ed04d6158436873307038b5d69794a1ae7281a Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Sat, 7 Mar 2026 22:50:47 +0000
Subject: [PATCH 2/3] Apply suggestions from code review

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 modules/signatures/windows/ransomware_extensionhijack.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/signatures/windows/ransomware_extensionhijack.py b/modules/signatures/windows/ransomware_extensionhijack.py
index 13fcf6d3..cf6f56f4 100644
--- a/modules/signatures/windows/ransomware_extensionhijack.py
+++ b/modules/signatures/windows/ransomware_extensionhijack.py
@@ -15,8 +15,8 @@
 
 from lib.cuckoo.common.abstracts import Signature
 
-class RansomwareSetsIcon(Signature):
-    name = "ransomware_sets_icon"
+class RansomwareExtensionHijack(Signature):
+    name = "ransomware_extension_hijack"
     description = "Modifies registry keys for file-extension hijacking, possible ransomware behavior"
     severity = 3
     categories = ["ransomware"]

From e7da4532bc3aa8eb7e0c5785bf41c6bab08a32d1 Mon Sep 17 00:00:00 2001
From: kevross33 <kevross33@gmail.com>
Date: Sat, 7 Mar 2026 22:51:10 +0000
Subject: [PATCH 3/3] Update ransomware_extensionhijack.py

---
 modules/signatures/windows/ransomware_extensionhijack.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/signatures/windows/ransomware_extensionhijack.py b/modules/signatures/windows/ransomware_extensionhijack.py
index cf6f56f4..159e5fa3 100644
--- a/modules/signatures/windows/ransomware_extensionhijack.py
+++ b/modules/signatures/windows/ransomware_extensionhijack.py
@@ -40,10 +40,8 @@ def on_call(self, call, process):
             filepath_lower = filepath.lower()
             regkey_lower = regkey.lower()
             
-            is_icon_hijack = filepath_lower.endswith(".ico") and (r"\defaulticon" in regkey_lower or r"\applications" in regkey_lower)
-            is_userchoice_hijack = r"\userchoice" in regkey_lower
-            
-            if is_icon_hijack or is_userchoice_hijack:
+            is_icon_hijack = filepath_lower.endswith(".ico") and (r"\defaulticon" in regkey_lower or r"\applications" in regkey_lower)            
+            if is_icon_hijack:
                 self.mark_call()
                 self.ret = True