Keylogger.
rule win_aytoke_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.aytoke." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c1f805 8d3c8500c44100 8bf3 83e61f c1e606 8b07 } // n = 6, score = 200 // c1f805 | sar eax, 5 // 8d3c8500c44100 | lea edi, [eax*4 + 0x41c400] // 8bf3 | mov esi, ebx // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 8b07 | mov eax, dword ptr [edi] $sequence_1 = { 47 4d 4d 4d 4d 4d 4d } // n = 7, score = 200 // 47 | inc edi // 4d | dec ebp // 4d | dec ebp // 4d | dec ebp // 4d | dec ebp // 4d | dec ebp // 4d | dec ebp $sequence_2 = { 388150744100 7409 41 3bca 7ef3 8be5 } // n = 6, score = 200 // 388150744100 | cmp byte ptr [ecx + 0x417450], al // 7409 | je 0xb // 41 | inc ecx // 3bca | cmp ecx, edx // 7ef3 | jle 0xfffffff5 // 8be5 | mov esp, ebp $sequence_3 = { 8d8d20f6ffff 51 8d9548eeffff 68???????? 52 } // n = 5, score = 200 // 8d8d20f6ffff | lea ecx, [ebp - 0x9e0] // 51 | push ecx // 8d9548eeffff | lea edx, [ebp - 0x11b8] // 68???????? | // 52 | push edx $sequence_4 = { 83e71f c1e706 8b048500c44100 8d44380c 50 } // n = 5, score = 200 // 83e71f | and edi, 0x1f // c1e706 | shl edi, 6 // 8b048500c44100 | mov eax, dword ptr [eax*4 + 0x41c400] // 8d44380c | lea eax, [eax + edi + 0xc] // 50 | push eax $sequence_5 = { c1e106 030c9d00c44100 eb02 8bca f641247f 7526 } // n = 6, score = 200 // c1e106 | shl ecx, 6 // 030c9d00c44100 | add ecx, dword ptr [ebx*4 + 0x41c400] // eb02 | jmp 4 // 8bca | mov ecx, edx // f641247f | test byte ptr [ecx + 0x24], 0x7f // 7526 | jne 0x28 $sequence_6 = { 43 8945f4 890d???????? 889148764100 83fb03 7e8f 5f } // n = 7, score = 200 // 43 | inc ebx // 8945f4 | mov dword ptr [ebp - 0xc], eax // 890d???????? | // 889148764100 | mov byte ptr [ecx + 0x417648], dl // 83fb03 | cmp ebx, 3 // 7e8f | jle 0xffffff91 // 5f | pop edi $sequence_7 = { 8b4df4 8994b1c8944100 46 8914b5c8944100 } // n = 4, score = 200 // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 8994b1c8944100 | mov dword ptr [ecx + esi*4 + 0x4194c8], edx // 46 | inc esi // 8914b5c8944100 | mov dword ptr [esi*4 + 0x4194c8], edx $sequence_8 = { e8???????? 83c408 33f6 881d???????? 881d???????? 8935???????? } // n = 6, score = 200 // e8???????? | // 83c408 | add esp, 8 // 33f6 | xor esi, esi // 881d???????? | // 881d???????? | // 8935???????? | $sequence_9 = { 75e9 e9???????? 33c0 8bff 0fb78880374100 66898c05fcfdffff } // n = 6, score = 200 // 75e9 | jne 0xffffffeb // e9???????? | // 33c0 | xor eax, eax // 8bff | mov edi, edi // 0fb78880374100 | movzx ecx, word ptr [eax + 0x413780] // 66898c05fcfdffff | mov word ptr [ebp + eax - 0x204], cx condition: 7 of them and filesize < 425984 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY