Keylogger.
rule win_aytoke_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.aytoke." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6685c9 75e9 e9???????? 33c0 8bff 0fb788103a4100 66898c05fcfdffff } // n = 7, score = 200 // 6685c9 | test cx, cx // 75e9 | jne 0xffffffeb // e9???????? | // 33c0 | xor eax, eax // 8bff | mov edi, edi // 0fb788103a4100 | movzx ecx, word ptr [eax + 0x413a10] // 66898c05fcfdffff | mov word ptr [ebp + eax - 0x204], cx $sequence_1 = { 3c58 770f 0fbec2 0fbe80f83b4100 83e00f eb02 33c0 } // n = 7, score = 200 // 3c58 | cmp al, 0x58 // 770f | ja 0x11 // 0fbec2 | movsx eax, dl // 0fbe80f83b4100 | movsx eax, byte ptr [eax + 0x413bf8] // 83e00f | and eax, 0xf // eb02 | jmp 4 // 33c0 | xor eax, eax $sequence_2 = { 8bd0 83e01f c1fa05 8b149500c44100 59 c1e006 59 } // n = 7, score = 200 // 8bd0 | mov edx, eax // 83e01f | and eax, 0x1f // c1fa05 | sar edx, 5 // 8b149500c44100 | mov edx, dword ptr [edx*4 + 0x41c400] // 59 | pop ecx // c1e006 | shl eax, 6 // 59 | pop ecx $sequence_3 = { 56 e8???????? c1f805 56 8d3c8500c44100 e8???????? 83e01f } // n = 7, score = 200 // 56 | push esi // e8???????? | // c1f805 | sar eax, 5 // 56 | push esi // 8d3c8500c44100 | lea edi, [eax*4 + 0x41c400] // e8???????? | // 83e01f | and eax, 0x1f $sequence_4 = { 90 68???????? e8???????? a1???????? 46 83c004 } // n = 6, score = 200 // 90 | nop // 68???????? | // e8???????? | // a1???????? | // 46 | inc esi // 83c004 | add eax, 4 $sequence_5 = { 2bc2 bb5c000000 85c0 7e16 } // n = 4, score = 200 // 2bc2 | sub eax, edx // bb5c000000 | mov ebx, 0x5c // 85c0 | test eax, eax // 7e16 | jle 0x18 $sequence_6 = { be01000000 83c104 83c408 3bce } // n = 4, score = 200 // be01000000 | mov esi, 1 // 83c104 | add ecx, 4 // 83c408 | add esp, 8 // 3bce | cmp ecx, esi $sequence_7 = { 33c0 8d642400 0fb7888c3a4100 66898c05fcfdffff 83c002 6685c9 75e9 } // n = 7, score = 200 // 33c0 | xor eax, eax // 8d642400 | lea esp, [esp] // 0fb7888c3a4100 | movzx ecx, word ptr [eax + 0x413a8c] // 66898c05fcfdffff | mov word ptr [ebp + eax - 0x204], cx // 83c002 | add eax, 2 // 6685c9 | test cx, cx // 75e9 | jne 0xffffffeb $sequence_8 = { 85ff 7424 56 53 6a01 57 } // n = 6, score = 200 // 85ff | test edi, edi // 7424 | je 0x26 // 56 | push esi // 53 | push ebx // 6a01 | push 1 // 57 | push edi $sequence_9 = { 663bc1 0f85cc130000 8d95fcfcffff 52 ff15???????? 68a0000000 } // n = 6, score = 200 // 663bc1 | cmp ax, cx // 0f85cc130000 | jne 0x13d2 // 8d95fcfcffff | lea edx, [ebp - 0x304] // 52 | push edx // ff15???????? | // 68a0000000 | push 0xa0 condition: 7 of them and filesize < 425984 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY