There is no description at this point.
rule win_ccleaner_backdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 750a b857000780 e9???????? e8???????? } // n = 4, score = 200 // 750a | jne 0xc // b857000780 | mov eax, 0x80070057 // e9???????? | // e8???????? | $sequence_1 = { 57 ffd6 50 ff15???????? 8b3d???????? 59 } // n = 6, score = 200 // 57 | push edi // ffd6 | call esi // 50 | push eax // ff15???????? | // 8b3d???????? | // 59 | pop ecx $sequence_2 = { c1e002 8bfa 2bf8 c1ee02 2bfe 4f } // n = 6, score = 100 // c1e002 | push eax // 8bfa | pop ecx // 2bf8 | call edi // c1ee02 | call esi // 2bfe | push eax // 4f | pop ecx $sequence_3 = { c645fc04 e8???????? 838fa8040000ff 33c0 40 } // n = 5, score = 100 // c645fc04 | mov byte ptr [ebp - 4], 4 // e8???????? | // 838fa8040000ff | or dword ptr [edi + 0x4a8], 0xffffffff // 33c0 | xor eax, eax // 40 | inc eax $sequence_4 = { 8bda 6a04 2bdf 58 3bd8 0f8c0affffff } // n = 6, score = 100 // 8bda | push eax // 6a04 | pop ecx // 2bdf | push eax // 58 | pop ecx // 3bd8 | call edi // 0f8c0affffff | call esi $sequence_5 = { 8b45e8 3b450c 7413 6a32 ff15???????? } // n = 5, score = 100 // 8b45e8 | push eax // 3b450c | pop ecx // 7413 | call edi // 6a32 | push edi // ff15???????? | $sequence_6 = { 59 85c0 741d 68???????? 56 e8???????? } // n = 6, score = 100 // 59 | pop ecx // 85c0 | test eax, eax // 741d | je 0x1f // 68???????? | // 56 | push esi // e8???????? | $sequence_7 = { 448bcf 4c8bc0 ff5560 488b4c2478 85c0 8bd8 } // n = 6, score = 100 // 448bcf | mov ebx, eax // 4c8bc0 | je 0x33 // ff5560 | mov byte ptr [ebx + 0x38], 0xff // 488b4c2478 | mov byte ptr [ebx + 0x39], 1 // 85c0 | dec eax // 8bd8 | lea eax, [0xffff4921] $sequence_8 = { 895c2418 b800080000 0f44c2 33d2 } // n = 4, score = 100 // 895c2418 | mov dword ptr [esp + 0x18], ebx // b800080000 | mov eax, 0x800 // 0f44c2 | cmove eax, edx // 33d2 | xor edx, edx $sequence_9 = { e8???????? 83c414 8d4508 6a04 } // n = 4, score = 100 // e8???????? | // 83c414 | add esp, 0x14 // 8d4508 | lea eax, [ebp + 8] // 6a04 | push 4 $sequence_10 = { 0f8775070000 ff2485dd260010 6a03 5a 39550c 7323 } // n = 6, score = 100 // 0f8775070000 | call esi // ff2485dd260010 | push eax // 6a03 | pop ecx // 5a | call edi // 39550c | push edi // 7323 | call esi $sequence_11 = { ff5008 488bde 4885ed 740e 488b4500 } // n = 5, score = 100 // ff5008 | call dword ptr [eax + 8] // 488bde | dec eax // 4885ed | mov ebx, esi // 740e | dec eax // 488b4500 | test ebp, ebp $sequence_12 = { 57 ff15???????? 8be8 3bef 7504 33c0 eb7f } // n = 7, score = 100 // 57 | add dword ptr [ebp + 0xc], 8 // ff15???????? | // 8be8 | jmp 0xffffffd8 // 3bef | shr dword ptr [ebp + 8], cl // 7504 | mov ecx, dword ptr [eax*4 + 0x1002c668] // 33c0 | and ecx, dword ptr [ebp + 8] // eb7f | mov eax, dword ptr [ebp - 0x18] $sequence_13 = { 498bfe eb07 488b7e18 482bf9 4d3bc6 0f8473020000 } // n = 6, score = 100 // 498bfe | dec eax // eb07 | mov ebx, dword ptr [esp + 0xa8] // 488b7e18 | dec eax // 482bf9 | mov edx, ebx // 4d3bc6 | dec eax // 0f8473020000 | lea ecx, [esp + 0x40] $sequence_14 = { 83450c08 ebd2 d36d08 8b0c8568c60210 234d08 } // n = 5, score = 100 // 83450c08 | lea edx, [esp + 0x100] // ebd2 | dec esp // d36d08 | lea eax, [esp + 0x102] // 8b0c8568c60210 | push edi // 234d08 | call esi $sequence_15 = { 8acb c0f902 80e10f c0e004 0ac8 880f } // n = 6, score = 100 // 8acb | mov cl, bl // c0f902 | sar cl, 2 // 80e10f | and cl, 0xf // c0e004 | shl al, 4 // 0ac8 | or cl, al // 880f | mov byte ptr [edi], cl $sequence_16 = { 488d4c2420 e8???????? 4c8d1d2f8cffff 4c895c2420 } // n = 4, score = 100 // 488d4c2420 | sub edi, ecx // e8???????? | // 4c8d1d2f8cffff | dec ebp // 4c895c2420 | cmp eax, esi $sequence_17 = { 50 8d856cfeffff 57 50 6802000080 ff15???????? 85c0 } // n = 7, score = 100 // 50 | push eax // 8d856cfeffff | lea eax, [ebp - 0x194] // 57 | push edi // 50 | push eax // 6802000080 | push 0x80000002 // ff15???????? | // 85c0 | test eax, eax $sequence_18 = { 6a40 ff15???????? ff36 8bf8 8d4604 } // n = 5, score = 100 // 6a40 | push 0x40 // ff15???????? | // ff36 | push dword ptr [esi] // 8bf8 | mov edi, eax // 8d4604 | lea eax, [esi + 4] $sequence_19 = { f7f1 0fafc1 8b4dd8 2bc8 8944241c 034de8 } // n = 6, score = 100 // f7f1 | div ecx // 0fafc1 | imul eax, ecx // 8b4dd8 | mov ecx, dword ptr [ebp - 0x28] // 2bc8 | sub ecx, eax // 8944241c | mov dword ptr [esp + 0x1c], eax // 034de8 | add ecx, dword ptr [ebp - 0x18] $sequence_20 = { 8d45fc 895dfc 50 8b06 c1e008 } // n = 5, score = 100 // 8d45fc | lea eax, [ebp - 4] // 895dfc | mov dword ptr [ebp - 4], ebx // 50 | push eax // 8b06 | mov eax, dword ptr [esi] // c1e008 | shl eax, 8 $sequence_21 = { 894614 58 66894606 895e08 } // n = 4, score = 100 // 894614 | mov dword ptr [esi + 0x14], eax // 58 | pop eax // 66894606 | mov word ptr [esi + 6], ax // 895e08 | mov dword ptr [esi + 8], ebx $sequence_22 = { 8bd6 c60100 41 4a 75f9 85c0 } // n = 6, score = 100 // 8bd6 | mov edx, esi // c60100 | mov byte ptr [ecx], 0 // 41 | inc ecx // 4a | dec edx // 75f9 | jne 0xfffffffb // 85c0 | test eax, eax $sequence_23 = { 8b750c 8b45fc ff740704 8b06 c1e008 8d8418a1000000 } // n = 6, score = 100 // 8b750c | mov esi, dword ptr [ebp + 0xc] // 8b45fc | mov eax, dword ptr [ebp - 4] // ff740704 | push dword ptr [edi + eax + 4] // 8b06 | mov eax, dword ptr [esi] // c1e008 | shl eax, 8 // 8d8418a1000000 | lea eax, [eax + ebx + 0xa1] $sequence_24 = { 752f 410bc0 488d15534b0000 488d0d7c500000 8905???????? } // n = 5, score = 100 // 752f | je 0x283 // 410bc0 | dec eax // 488d15534b0000 | test eax, eax // 488d0d7c500000 | dec eax // 8905???????? | $sequence_25 = { 8bf0 837c241000 740a ff742410 e8???????? 59 8bc6 } // n = 7, score = 100 // 8bf0 | mov esi, eax // 837c241000 | cmp dword ptr [esp + 0x10], 0 // 740a | je 0xc // ff742410 | push dword ptr [esp + 0x10] // e8???????? | // 59 | pop ecx // 8bc6 | mov eax, esi $sequence_26 = { 5d c3 8b442404 3b442408 7418 56 57 } // n = 7, score = 100 // 5d | pop ebp // c3 | ret // 8b442404 | mov eax, dword ptr [esp + 4] // 3b442408 | cmp eax, dword ptr [esp + 8] // 7418 | je 0x1a // 56 | push esi // 57 | push edi $sequence_27 = { e8???????? 4885c0 488bd8 7431 c64338ff c6433901 488d052149ffff } // n = 7, score = 100 // e8???????? | // 4885c0 | dec ecx // 488bd8 | mov edi, esi // 7431 | jmp 0xc // c64338ff | dec eax // c6433901 | mov edi, dword ptr [esi + 0x18] // 488d052149ffff | dec eax $sequence_28 = { e8???????? 488b9c24a8000000 488bd3 488d4c2440 ff15???????? } // n = 5, score = 100 // e8???????? | // 488b9c24a8000000 | je 0x10 // 488bd3 | dec eax // 488d4c2440 | mov eax, dword ptr [ebp] // ff15???????? | $sequence_29 = { 6a32 ff15???????? 46 83fe3c 7cd0 33c0 } // n = 6, score = 100 // 6a32 | cmp eax, dword ptr [ebp + 0xc] // ff15???????? | // 46 | je 0x15 // 83fe3c | push 0x32 // 7cd0 | ja 0x77b // 33c0 | jmp dword ptr [eax*4 + 0x100026dd] condition: 7 of them and filesize < 377856 }
rule win_ccleaner_backdoor_w0 { meta: author = "Florian Roth" reference = "https://goo.gl/puVc9q" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" fullword ascii $s2 = "\\spool\\prtprocs\\x64\\localspl.dll" fullword ascii $s3 = "\\msvcrt.dll" fullword ascii $s4 = "\\TSMSISrv.dll" fullword ascii condition: all of them }
import "pe" rule win_ccleaner_backdoor_w1 { meta: author = "Florian Roth" reference = "https://goo.gl/puVc9q" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide $s2 = "\\\\.\\SYMEFA" fullword wide condition: all of them and pe.number_of_signatures == 0 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY