rule win_apollo_shadow_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.apollo_shadow."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.apollo_shadow"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c3bd9 7363 4983e0e0 f30f7e01 4983c220 660f60c0 660f71e008 }
            // n = 7, score = 100
            //   4c3bd9               | lea                 eax, [ebx - 0x58]
            //   7363                 | dec                 eax
            //   4983e0e0             | mov                 dword ptr [esp + 0x20], eax
            //   f30f7e01             | inc                 ebp
            //   4983c220             | xor                 ecx, ecx
            //   660f60c0             | inc                 ebp
            //   660f71e008           | xor                 eax, eax

        $sequence_1 = { 0f873c060000 e8???????? 660f6f05???????? f30f7f45f8 668975e8 85db 750f }
            // n = 7, score = 100
            //   0f873c060000         | movups              xmmword ptr [esp + 0xb4], xmm0
            //   e8????????           |                     
            //   660f6f05????????     |                     
            //   f30f7f45f8           | movups              xmmword ptr [esp + 0xc4], xmm0
            //   668975e8             | movups              xmmword ptr [esp + 0x50], xmm0
            //   85db                 | test                eax, eax
            //   750f                 | je                  0x3a7

        $sequence_2 = { 41b806000000 488d150f3d0300 e8???????? 90 0f288424d0000000 660f7f8424d0000000 4c8d8424e8000000 }
            // n = 7, score = 100
            //   41b806000000         | mov                 eax, dword ptr [edx - 4]
            //   488d150f3d0300       | inc                 ecx
            //   e8????????           |                     
            //   90                   | mov                 dword ptr [ecx + 0x18], eax
            //   0f288424d0000000     | inc                 ecx
            //   660f7f8424d0000000     | movzx    ecx, byte ptr [eax]
            //   4c8d8424e8000000     | and                 ecx, 0xf

        $sequence_3 = { e9???????? 498bc7 488d0dd7870200 83e03f 4d8be7 49c1fc06 4c8965e8 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   498bc7               | lea                 ecx, [0x14c95]
            //   488d0dd7870200       | mov                 ecx, 0x12
            //   83e03f               | dec                 esp
            //   4d8be7               | lea                 eax, [0x14c81]
            //   49c1fc06             | dec                 eax
            //   4c8965e8             | lea                 edx, [0x14c82]

        $sequence_4 = { e8???????? 0fb7d8 e8???????? 448bcb 4c8bc0 33d2 488d0d63adfeff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb7d8               | dec                 eax
            //   e8????????           |                     
            //   448bcb               | lea                 edx, [ebx + 8]
            //   4c8bc0               | mov                 byte ptr [esp + 0x28], 1
            //   33d2                 | dec                 eax
            //   488d0d63adfeff       | mov                 eax, edx

        $sequence_5 = { 498bd0 4c8d155d0a0300 3bcf 7622 498bc0 48c1f806 498bc8 }
            // n = 7, score = 100
            //   498bd0               | dec                 eax
            //   4c8d155d0a0300       | mov                 ecx, dword ptr [ebp - 0x51]
            //   3bcf                 | dec                 eax
            //   7622                 | mov                 eax, dword ptr [ecx + 0x40]
            //   498bc0               | dec                 ecx
            //   48c1f806             | mov                 ecx, dword ptr [esp]
            //   498bc8               | dec                 eax

        $sequence_6 = { 4c8bc3 488d4dff e8???????? 90 488975b7 488b4db7 4c8975b7 }
            // n = 7, score = 100
            //   4c8bc3               | wait                
            //   488d4dff             | cwde                
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488975b7             | mov                 dword ptr [esp + 0x28], eax
            //   488b4db7             | dec                 esp
            //   4c8975b7             | mov                 esi, dword ptr [esp + 0x28]

        $sequence_7 = { 7579 488d3dd4710200 ff05???????? 8b4314 90 a9c0040000 7561 }
            // n = 7, score = 100
            //   7579                 | mov                 ecx, esi
            //   488d3dd4710200       | dec                 ecx
            //   ff05????????         |                     
            //   8b4314               | or                  esi, 0xffffffff
            //   90                   | dec                 eax
            //   a9c0040000           | lea                 eax, [0x244cb]
            //   7561                 | dec                 edx

        $sequence_8 = { 488bc3 48bdfeffffffffffff7f 482bc2 483bc5 0f87f5000000 4883f808 0f828f000000 }
            // n = 7, score = 100
            //   488bc3               | xorps               xmm0, xmm0
            //   48bdfeffffffffffff7f     | movups    xmmword ptr [esp + 0x30], xmm0
            //   482bc2               | dec                 esp
            //   483bc5               | mov                 dword ptr [esp + 0x40], esi
            //   0f87f5000000         | dec                 esp
            //   4883f808             | mov                 dword ptr [esp + 0x48], esi
            //   0f828f000000         | inc                 ecx

        $sequence_9 = { 488d8af0000000 e9???????? 488d8ae0000000 e9???????? 488d8a10010000 e9???????? 488d8a58010000 }
            // n = 7, score = 100
            //   488d8af0000000       | cmp                 dword ptr [esp + 0x80], 8
            //   e9????????           |                     
            //   488d8ae0000000       | dec                 eax
            //   e9????????           |                     
            //   488d8a10010000       | cmovae              ecx, dword ptr [esp + 0x68]
            //   e9????????           |                     
            //   488d8a58010000       | dec                 eax

    condition:
        7 of them and filesize < 710656
}