There is no description at this point.
rule win_cactus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cactus." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 4c8d05f3ee3e00 ba41000000 488d0db8ee3e00 e8???????? 4531c0 bac5000000 } // n = 7, score = 100 // e8???????? | // 4c8d05f3ee3e00 | mov ecx, eax // ba41000000 | push ebx // 488d0db8ee3e00 | dec eax // e8???????? | // 4531c0 | sub esp, 0x20 // bac5000000 | dec eax $sequence_1 = { e8???????? 4531c0 ba00010c00 b910000000 e8???????? 48c744243800000000 4c89e1 } // n = 7, score = 100 // e8???????? | // 4531c0 | lea eax, [0x31b80a] // ba00010c00 | mov edx, 0x12a // b910000000 | dec eax // e8???????? | // 48c744243800000000 | lea ecx, [0x31b27e] // 4c89e1 | dec esp $sequence_2 = { e8???????? 85c0 0f84b6020000 488d153e8d3200 4889d9 e8???????? 4885c0 } // n = 7, score = 100 // e8???????? | // 85c0 | push ebx // 0f84b6020000 | dec eax // 488d153e8d3200 | sub esp, 0x28 // 4889d9 | dec eax // e8???????? | // 4885c0 | mov eax, dword ptr [esp + 0x60] $sequence_3 = { c6042b00 48891f 4c89e8 4883c438 5b 5e 5f } // n = 7, score = 100 // c6042b00 | xor eax, eax // 48891f | inc esp // 4c89e8 | add ebp, esi // 4883c438 | dec esp // 5b | mov edx, dword ptr [esp + 0x28] // 5e | inc ebp // 5f | xor ecx, ecx $sequence_4 = { f30f6f6b50 f30f6f4360 48895070 0f114810 0f115020 0f115830 0f116040 } // n = 7, score = 100 // f30f6f6b50 | mov esi, edx // f30f6f4360 | push edi // 48895070 | push esi // 0f114810 | push ebx // 0f115020 | dec eax // 0f115830 | sub esp, 0x68 // 0f116040 | dec eax $sequence_5 = { e8???????? 4c8d052c9d3b00 ba16040000 488d0d28843b00 e8???????? 4531c0 ba02010c00 } // n = 7, score = 100 // e8???????? | // 4c8d052c9d3b00 | dec ebp // ba16040000 | mov eax, edi // 488d0d28843b00 | dec eax // e8???????? | // 4531c0 | add edx, esi // ba02010c00 | dec esp $sequence_6 = { e8???????? 4889f3 4489f2 29fa 85d2 0f8fb1070000 0f85ab0a0000 } // n = 7, score = 100 // e8???????? | // 4889f3 | dec eax // 4489f2 | mov ecx, dword ptr [esp + 0x48] // 29fa | dec eax // 85d2 | mov edx, esi // 0f8fb1070000 | dec esp // 0f85ab0a0000 | lea eax, [esp + 0x68] $sequence_7 = { e8???????? 4889f1 e8???????? 4889f1 4889c7 e8???????? 4889f1 } // n = 7, score = 100 // e8???????? | // 4889f1 | dec eax // e8???????? | // 4889f1 | mov eax, dword ptr [esp + 0x40] // 4889c7 | dec esp // e8???????? | // 4889f1 | lea eax, [esp + 0x58] $sequence_8 = { e8???????? 48894318 4889c1 4885c0 0f857ffeffff 488b4c2458 4889ea } // n = 7, score = 100 // e8???????? | // 48894318 | dec esp // 4889c1 | lea eax, [0x32ad80] // 4885c0 | mov edx, 0xdb // 0f857ffeffff | dec eax // 488b4c2458 | lea ecx, [0x32ad34] // 4889ea | inc ebp $sequence_9 = { e8???????? 4c8d05a4e93a00 ba96010000 ebc6 4839c6 0f95c2 4883e814 } // n = 7, score = 100 // e8???????? | // 4c8d05a4e93a00 | dec eax // ba96010000 | lea ecx, [ecx + 0x28] // ebc6 | push ebx // 4839c6 | dec eax // 0f95c2 | sub esp, 0x20 // 4883e814 | dec eax condition: 7 of them and filesize < 13587456 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY