There is no description at this point.
rule win_ccleaner_backdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 750a b857000780 e9???????? e8???????? } // n = 4, score = 200 // 750a | jne 0xc // b857000780 | mov eax, 0x80070057 // e9???????? | // e8???????? | $sequence_1 = { 57 ffd6 50 ff15???????? 8b3d???????? 59 ffd7 } // n = 7, score = 200 // 57 | push edi // ffd6 | call esi // 50 | push eax // ff15???????? | // 8b3d???????? | // 59 | pop ecx // ffd7 | call edi $sequence_2 = { 5f 57 ff15???????? 8bf0 e8???????? 8906 } // n = 6, score = 100 // 5f | pop edi // 57 | push edi // ff15???????? | // 8bf0 | mov esi, eax // e8???????? | // 8906 | mov dword ptr [esi], eax $sequence_3 = { 33c0 c9 c3 8a11 305103 } // n = 5, score = 100 // 33c0 | xor eax, eax // c9 | leave // c3 | ret // 8a11 | mov dl, byte ptr [ecx] // 305103 | xor byte ptr [ecx + 3], dl $sequence_4 = { ab 8d7de8 895de4 ab ab } // n = 5, score = 100 // ab | stosd dword ptr es:[edi], eax // 8d7de8 | lea edi, [ebp - 0x18] // 895de4 | mov dword ptr [ebp - 0x1c], ebx // ab | stosd dword ptr es:[edi], eax // ab | stosd dword ptr es:[edi], eax $sequence_5 = { 751f 33db 488b742438 488bc3 } // n = 4, score = 100 // 751f | je 0x22 // 33db | test byte ptr [ecx + 0x1c], 1 // 488b742438 | dec eax // 488bc3 | cmp dword ptr [edi + 0x20], 0x10 $sequence_6 = { 7925 483bcf 7420 f6411c01 } // n = 4, score = 100 // 7925 | inc ecx // 483bcf | cmp eax, esi // 7420 | mov ebx, eax // f6411c01 | jl 0x11e $sequence_7 = { 682b170000 57 8b07 ff500c 8bcb e8???????? 8b4c2454 } // n = 7, score = 100 // 682b170000 | push 0x172b // 57 | push edi // 8b07 | mov eax, dword ptr [edi] // ff500c | call dword ptr [eax + 0xc] // 8bcb | mov ecx, ebx // e8???????? | // 8b4c2454 | mov ecx, dword ptr [esp + 0x54] $sequence_8 = { 7405 83f80a 7503 6a20 5a } // n = 5, score = 100 // 7405 | je 7 // 83f80a | cmp eax, 0xa // 7503 | jne 5 // 6a20 | push 0x20 // 5a | pop edx $sequence_9 = { 3bd3 0f83dd030000 45 0fb602 4c 03d5 49 } // n = 7, score = 100 // 3bd3 | call esi // 0f83dd030000 | push eax // 45 | pop ecx // 0fb602 | call edi // 4c | push edi // 03d5 | call esi // 49 | push eax $sequence_10 = { 5f 5e ff25???????? 33c0 40 5f } // n = 6, score = 100 // 5f | pop edi // 5e | pop esi // ff25???????? | // 33c0 | xor eax, eax // 40 | inc eax // 5f | pop edi $sequence_11 = { 894dfc 8d5c0610 c745f841c94f5d 7627 6af8 } // n = 5, score = 100 // 894dfc | pop ecx // 8d5c0610 | call edi // c745f841c94f5d | call esi // 7627 | push eax // 6af8 | pop ecx $sequence_12 = { 72e6 5b c3 8b4c2404 } // n = 4, score = 100 // 72e6 | jb 0xffffffe8 // 5b | pop ebx // c3 | ret // 8b4c2404 | mov ecx, dword ptr [esp + 4] $sequence_13 = { 7808 8b8e9c040000 890f 5f 5e 5d c21800 } // n = 7, score = 100 // 7808 | js 0xa // 8b8e9c040000 | mov ecx, dword ptr [esi + 0x49c] // 890f | mov dword ptr [edi], ecx // 5f | pop edi // 5e | pop esi // 5d | pop ebp // c21800 | ret 0x18 $sequence_14 = { 8911 eb02 8901 8b4c2424 85c9 740d } // n = 6, score = 100 // 8911 | mov dword ptr [ecx], edx // eb02 | jmp 4 // 8901 | mov dword ptr [ecx], eax // 8b4c2424 | mov ecx, dword ptr [esp + 0x24] // 85c9 | test ecx, ecx // 740d | je 0xf $sequence_15 = { 68???????? ff742424 ffd3 8d442418 6a04 50 6a03 } // n = 7, score = 100 // 68???????? | // ff742424 | call esi // ffd3 | push eax // 8d442418 | pop ecx // 6a04 | push edi // 50 | call esi // 6a03 | push eax $sequence_16 = { 66443901 7414 4883c102 ebee 498bc7 66443901 } // n = 6, score = 100 // 66443901 | inc sp // 7414 | cmp dword ptr [ecx], eax // 4883c102 | je 0x16 // ebee | dec eax // 498bc7 | add ecx, 2 // 66443901 | jmp 0xfffffff0 $sequence_17 = { 750f 8b06 53 ff750c 56 ff10 } // n = 6, score = 100 // 750f | jne 0x11 // 8b06 | mov eax, dword ptr [esi] // 53 | push ebx // ff750c | push dword ptr [ebp + 0xc] // 56 | push esi // ff10 | call dword ptr [eax] $sequence_18 = { 81e7f2fff87f 81c70e000780 eb10 bf0e000780 eb09 56 } // n = 6, score = 100 // 81e7f2fff87f | and edi, 0x7ff8fff2 // 81c70e000780 | add edi, 0x8007000e // eb10 | jmp 0x12 // bf0e000780 | mov edi, 0x8007000e // eb09 | jmp 0xb // 56 | push esi $sequence_19 = { 8bc2 2b4dfc c7471854b40210 c1e803 3bc1 } // n = 5, score = 100 // 8bc2 | call ebx // 2b4dfc | lea eax, [esp + 0x18] // c7471854b40210 | push 4 // c1e803 | push eax // 3bc1 | push 3 $sequence_20 = { 498be9 458ae0 488bf2 488bf9 750a b857000780 } // n = 6, score = 100 // 498be9 | jb 0x10 // 458ae0 | dec eax // 488bf2 | mov ebx, dword ptr [ebx] // 488bf9 | dec eax // 750a | sub ebp, ebx // b857000780 | dec ebp $sequence_21 = { 8d1c11 4d 8921 803911 } // n = 4, score = 100 // 8d1c11 | push eax // 4d | pop ecx // 8921 | call edi // 803911 | inc ecx $sequence_22 = { ff7510 ff750c 53 53 56 ff15???????? 85c0 } // n = 7, score = 100 // ff7510 | push dword ptr [ebp + 0x10] // ff750c | push dword ptr [ebp + 0xc] // 53 | push ebx // 53 | push ebx // 56 | push esi // ff15???????? | // 85c0 | test eax, eax $sequence_23 = { 48837f2010 7203 488b1b 482beb 4d8bc8 488bd7 4c8bc5 } // n = 7, score = 100 // 48837f2010 | dec esp // 7203 | lea eax, [esp + 0x90] // 488b1b | dec eax // 482beb | lea edx, [0xffff90c1] // 4d8bc8 | jns 0x27 // 488bd7 | dec eax // 4c8bc5 | cmp ecx, edi $sequence_24 = { 7435 488b5008 488d4708 483bd0 7507 b803010780 } // n = 6, score = 100 // 7435 | mov ecx, eax // 488b5008 | dec eax // 488d4708 | mov edx, edi // 483bd0 | dec esp // 7507 | mov eax, ebp // b803010780 | jne 0x27 $sequence_25 = { 488d4c2428 413bc6 8bd8 0f8c13010000 4c8d842490000000 488d15c190ffff } // n = 6, score = 100 // 488d4c2428 | dec ecx // 413bc6 | mov eax, edi // 8bd8 | inc sp // 0f8c13010000 | cmp dword ptr [ecx], eax // 4c8d842490000000 | dec eax // 488d15c190ffff | lea ecx, [esp + 0x28] $sequence_26 = { 8d85f4fdffff 6a10 50 c785f4fdffff3e6d8b7a c785f8fdffff4e00a9f1 c785fcfdffff68d7f39e c78500feffffd5000000 } // n = 7, score = 100 // 8d85f4fdffff | lea eax, [ebp - 0x20c] // 6a10 | push 0x10 // 50 | push eax // c785f4fdffff3e6d8b7a | mov dword ptr [ebp - 0x20c], 0x7a8b6d3e // c785f8fdffff4e00a9f1 | mov dword ptr [ebp - 0x208], 0xf1a9004e // c785fcfdffff68d7f39e | mov dword ptr [ebp - 0x204], 0x9ef3d768 // c78500feffffd5000000 | mov dword ptr [ebp - 0x200], 0xd5 $sequence_27 = { 41 3b4d08 0f8390010000 83fe40 7253 8bc6 } // n = 6, score = 100 // 41 | mov ebp, edx // 3b4d08 | dec eax // 0f8390010000 | mov ecx, dword ptr [ebp + 0xa8] // 83fe40 | pop ecx // 7253 | call edi // 8bc6 | push edi $sequence_28 = { 4c 2bc5 75f0 e9???????? 49 83f820 7246 } // n = 7, score = 100 // 4c | mov dword ptr [ebp - 4], ecx // 2bc5 | lea ebx, [esi + eax + 0x10] // 75f0 | mov dword ptr [ebp - 8], 0x5d4fc941 // e9???????? | // 49 | jbe 0x34 // 83f820 | push -8 // 7246 | cmp edx, ebx $sequence_29 = { 0ac3 83c410 8807 47 ff4d0c 75a2 8b45fc } // n = 7, score = 100 // 0ac3 | or al, bl // 83c410 | add esp, 0x10 // 8807 | mov byte ptr [edi], al // 47 | inc edi // ff4d0c | dec dword ptr [ebp + 0xc] // 75a2 | jne 0xffffffa4 // 8b45fc | mov eax, dword ptr [ebp - 4] condition: 7 of them and filesize < 377856 }
rule win_ccleaner_backdoor_w0 { meta: author = "Florian Roth" reference = "https://goo.gl/puVc9q" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" fullword ascii $s2 = "\\spool\\prtprocs\\x64\\localspl.dll" fullword ascii $s3 = "\\msvcrt.dll" fullword ascii $s4 = "\\TSMSISrv.dll" fullword ascii condition: all of them }
import "pe" rule win_ccleaner_backdoor_w1 { meta: author = "Florian Roth" reference = "https://goo.gl/puVc9q" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide $s2 = "\\\\.\\SYMEFA" fullword wide condition: all of them and pe.number_of_signatures == 0 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY