Actor(s): Anunak
There is no description at this point.
rule win_carbanak_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 385d08 7410 68e8030000 e8???????? 59 } // n = 5, score = 200 // 385d08 | cmp byte ptr [ebp + 8], bl // 7410 | je 0x12 // 68e8030000 | push 0x3e8 // e8???????? | // 59 | pop ecx $sequence_1 = { 8b4704 83e6fc 48 c7470808000000 } // n = 4, score = 200 // 8b4704 | mov eax, dword ptr [edi + 4] // 83e6fc | and esi, 0xfffffffc // 48 | dec eax // c7470808000000 | mov dword ptr [edi + 8], 8 $sequence_2 = { 1ac0 fec0 5d c20c00 55 8bec 83ec68 } // n = 7, score = 200 // 1ac0 | sbb al, al // fec0 | inc al // 5d | pop ebp // c20c00 | ret 0xc // 55 | push ebp // 8bec | mov ebp, esp // 83ec68 | sub esp, 0x68 $sequence_3 = { 46 3b75f8 7c8b eb1a 8b4d08 6bf62c 6aff } // n = 7, score = 200 // 46 | inc esi // 3b75f8 | cmp esi, dword ptr [ebp - 8] // 7c8b | jl 0xffffff8d // eb1a | jmp 0x1c // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 6bf62c | imul esi, esi, 0x2c // 6aff | push -1 $sequence_4 = { 68336cd907 6a00 e8???????? 59 59 ffd0 c3 } // n = 7, score = 200 // 68336cd907 | push 0x7d96c33 // 6a00 | push 0 // e8???????? | // 59 | pop ecx // 59 | pop ecx // ffd0 | call eax // c3 | ret $sequence_5 = { 89be84020000 e8???????? 8d8640020000 50 e8???????? 8d8660020000 } // n = 6, score = 200 // 89be84020000 | mov dword ptr [esi + 0x284], edi // e8???????? | // 8d8640020000 | lea eax, [esi + 0x240] // 50 | push eax // e8???????? | // 8d8660020000 | lea eax, [esi + 0x260] $sequence_6 = { 56 e8???????? eb12 8d4645 50 } // n = 5, score = 200 // 56 | push esi // e8???????? | // eb12 | jmp 0x14 // 8d4645 | lea eax, [esi + 0x45] // 50 | push eax $sequence_7 = { e9???????? 55 8bec 81eccc000000 53 } // n = 5, score = 200 // e9???????? | // 55 | push ebp // 8bec | mov ebp, esp // 81eccc000000 | sub esp, 0xcc // 53 | push ebx $sequence_8 = { 8b5624 ebb9 8b450c ebb7 55 8bec } // n = 6, score = 200 // 8b5624 | mov edx, dword ptr [esi + 0x24] // ebb9 | jmp 0xffffffbb // 8b450c | mov eax, dword ptr [ebp + 0xc] // ebb7 | jmp 0xffffffb9 // 55 | push ebp // 8bec | mov ebp, esp $sequence_9 = { 8bec 8b4d0c 56 8b4104 8b7508 48 57 } // n = 7, score = 200 // 8bec | mov ebp, esp // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 56 | push esi // 8b4104 | mov eax, dword ptr [ecx + 4] // 8b7508 | mov esi, dword ptr [ebp + 8] // 48 | dec eax // 57 | push edi condition: 7 of them and filesize < 425984 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY