There is no description at this point.
rule win_chainshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.chainshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f844e0e0000 ffc8 0f84d8110000 ffc8 } // n = 4, score = 300 // 0f844e0e0000 | dec ebp // ffc8 | je 0x2cf // 0f84d8110000 | test edx, edx // ffc8 | je 0x2cf $sequence_1 = { bd01000000 c70703000000 ebe9 bd01000000 c7070b000000 } // n = 5, score = 300 // bd01000000 | inc ecx // c70703000000 | cmp edi, edi // ebe9 | mov dword ptr [esp + 0x20], esp // bd01000000 | int3 // c7070b000000 | dec eax $sequence_2 = { 7708 7519 66892c5f eb13 66892c5f be7a000780 eb08 } // n = 7, score = 300 // 7708 | test eax, eax // 7519 | je 0x207 // 66892c5f | call eax // eb13 | mov ecx, 0x80000043 // 66892c5f | jmp 0x27c // be7a000780 | dec eax // eb08 | test eax, eax $sequence_3 = { 754a c705????????05000000 eb67 83fa05 7539 } // n = 5, score = 300 // 754a | dec eax // c705????????05000000 | // eb67 | mov edx, dword ptr [esp + 0x80] // 83fa05 | dec eax // 7539 | dec esp $sequence_4 = { 84db 7507 b929080080 eb19 } // n = 4, score = 300 // 84db | dec eax // 7507 | jne 0x115 // b929080080 | mov ebx, 0x80000005 // eb19 | jne 0x11c $sequence_5 = { 85c0 7407 b908000080 eb21 } // n = 4, score = 300 // 85c0 | jne 0x30 // 7407 | inc ecx // b908000080 | cmp al, dl // eb21 | jne 0xdf $sequence_6 = { ffc8 0f84d8110000 ffc8 0f8423110000 ffc8 } // n = 5, score = 300 // ffc8 | mov ecx, esi // 0f84d8110000 | lea edx, [ebp - 0x30] // ffc8 | inc ebp // 0f8423110000 | lea eax, [ecx + 0x2c] // ffc8 | dec eax $sequence_7 = { e8???????? 85c0 0f8891000000 8b0f 85c9 7503 8b4f10 } // n = 7, score = 300 // e8???????? | // 85c0 | mov dword ptr [esp + 0x40], ecx // 0f8891000000 | mov byte ptr [ecx], al // 8b0f | dec ecx // 85c9 | inc ecx // 7503 | dec eax // 8b4f10 | dec ecx $sequence_8 = { b902070080 ebd9 ff15???????? 3db7000000 750a } // n = 5, score = 300 // b902070080 | dec ecx // ebd9 | mov edx, esp // ff15???????? | // 3db7000000 | jmp 0x11f // 750a | dec eax $sequence_9 = { 8ad8 84c0 7507 b901080080 ebde } // n = 5, score = 300 // 8ad8 | jmp 0x75 // 84c0 | mov ecx, 0x201 // 7507 | jne 0xc6 // b901080080 | mov ecx, 0x80000801 // ebde | jmp 0x113 condition: 7 of them and filesize < 802816 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY