Actor(s): Comment Crew
There is no description at this point.
rule win_biscuit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.biscuit." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6800020000 6a00 ff15???????? 8b4304 8d942424020000 } // n = 5, score = 100 // 6800020000 | push 0x200 // 6a00 | push 0 // ff15???????? | // 8b4304 | mov eax, dword ptr [ebx + 4] // 8d942424020000 | lea edx, dword ptr [esp + 0x224] $sequence_1 = { e8???????? 8bfd 83c9ff 33c0 83c410 f2ae f7d1 } // n = 7, score = 100 // e8???????? | // 8bfd | mov edi, ebp // 83c9ff | or ecx, 0xffffffff // 33c0 | xor eax, eax // 83c410 | add esp, 0x10 // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx $sequence_2 = { eb22 8b85dcbfffff 83e801 8985749fffff 8b8d749fffff 8a11 80ea01 } // n = 7, score = 100 // eb22 | jmp 0x24 // 8b85dcbfffff | mov eax, dword ptr [ebp - 0x4024] // 83e801 | sub eax, 1 // 8985749fffff | mov dword ptr [ebp - 0x608c], eax // 8b8d749fffff | mov ecx, dword ptr [ebp - 0x608c] // 8a11 | mov dl, byte ptr [ecx] // 80ea01 | sub dl, 1 $sequence_3 = { 81faff000000 752f 8b85e4bfffff 83c002 8985ac9fffff 8b8ddcbfffff 83e901 } // n = 7, score = 100 // 81faff000000 | cmp edx, 0xff // 752f | jne 0x31 // 8b85e4bfffff | mov eax, dword ptr [ebp - 0x401c] // 83c002 | add eax, 2 // 8985ac9fffff | mov dword ptr [ebp - 0x6054], eax // 8b8ddcbfffff | mov ecx, dword ptr [ebp - 0x4024] // 83e901 | sub ecx, 1 $sequence_4 = { 8b9550b7ffff 52 e8???????? 83c404 eb22 8b85e8faffff 83e801 } // n = 7, score = 100 // 8b9550b7ffff | mov edx, dword ptr [ebp - 0x48b0] // 52 | push edx // e8???????? | // 83c404 | add esp, 4 // eb22 | jmp 0x24 // 8b85e8faffff | mov eax, dword ptr [ebp - 0x518] // 83e801 | sub eax, 1 $sequence_5 = { f2ae 8bca 4f c1e902 f3a5 8bca 8d442458 } // n = 7, score = 100 // f2ae | repne scasb al, byte ptr es:[edi] // 8bca | mov ecx, edx // 4f | dec edi // c1e902 | shr ecx, 2 // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8bca | mov ecx, edx // 8d442458 | lea eax, dword ptr [esp + 0x58] $sequence_6 = { e9???????? 8d8500b9ffff 50 b9???????? e8???????? 898524b8ffff } // n = 6, score = 100 // e9???????? | // 8d8500b9ffff | lea eax, dword ptr [ebp - 0x4700] // 50 | push eax // b9???????? | // e8???????? | // 898524b8ffff | mov dword ptr [ebp - 0x47dc], eax $sequence_7 = { 0fbe0d???????? 51 8b958c9fffff 52 e8???????? 83c40c } // n = 6, score = 100 // 0fbe0d???????? | // 51 | push ecx // 8b958c9fffff | mov edx, dword ptr [ebp - 0x6074] // 52 | push edx // e8???????? | // 83c40c | add esp, 0xc $sequence_8 = { e8???????? e9???????? b911000000 33c0 8dbd34daffff f3ab } // n = 6, score = 100 // e8???????? | // e9???????? | // b911000000 | mov ecx, 0x11 // 33c0 | xor eax, eax // 8dbd34daffff | lea edi, dword ptr [ebp - 0x25cc] // f3ab | rep stosd dword ptr es:[edi], eax $sequence_9 = { 8b85e8faffff 83e801 898580b6ffff 8b8d80b6ffff 8a11 80ea01 } // n = 6, score = 100 // 8b85e8faffff | mov eax, dword ptr [ebp - 0x518] // 83e801 | sub eax, 1 // 898580b6ffff | mov dword ptr [ebp - 0x4980], eax // 8b8d80b6ffff | mov ecx, dword ptr [ebp - 0x4980] // 8a11 | mov dl, byte ptr [ecx] // 80ea01 | sub dl, 1 condition: 7 of them and filesize < 180224 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY