There is no description at this point.
rule win_chainshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.chainshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 731b 85c9 7906 b840000000 } // n = 4, score = 300 // 731b | push ecx // 85c9 | mov eax, edx // 7906 | mov dword ptr [ebp - 4], 0 // b840000000 | mov edx, dword ptr [ebp + 8] $sequence_1 = { 8d68fc c70726000000 e9???????? c70709000000 bd02000000 } // n = 5, score = 300 // 8d68fc | je 0x171 // c70726000000 | push ecx // e9???????? | // c70709000000 | mov bl, 1 // bd02000000 | push 0x30 $sequence_2 = { 7509 e8???????? 85c0 7808 } // n = 4, score = 300 // 7509 | push ebx // e8???????? | // 85c0 | rep stosd dword ptr es:[edi], eax // 7808 | dec eax $sequence_3 = { 6683f819 7705 8d4220 eb03 0fb7c2 0fb7c0 } // n = 6, score = 300 // 6683f819 | mov ebx, 0x2000 // 7705 | mov ecx, ebx // 8d4220 | dec eax // eb03 | mov dword ptr [esp + 0x18], esi // 0fb7c2 | push edi // 0fb7c0 | dec eax $sequence_4 = { b901070080 e8???????? eb89 8bd7 } // n = 4, score = 300 // b901070080 | mov bl, 1 // e8???????? | // eb89 | mov esi, edx // 8bd7 | dec eax $sequence_5 = { 7408 ffd0 8905???????? bfa3000080 e9???????? } // n = 5, score = 300 // 7408 | mov ecx, esp // ffd0 | dec esp // 8905???????? | // bfa3000080 | mov dword ptr [esp + 0x30], ebp // e9???????? | $sequence_6 = { ffc8 0f843a110000 ffc8 7427 83e803 0f844a110000 } // n = 6, score = 300 // ffc8 | lea ecx, [edi + 0xd8] // 0f843a110000 | inc ecx // ffc8 | mov eax, 0x70 // 7427 | mov dl, 9 // 83e803 | mov dl, 9 // 0f844a110000 | dec eax $sequence_7 = { 7408 ffd0 8905???????? bb82000080 } // n = 4, score = 300 // 7408 | push edi // ffd0 | mov edi, dword ptr [ebp + 0x18] // 8905???????? | // bb82000080 | mov dword ptr [ebp - 0xc], ebx $sequence_8 = { 8d4a02 b8abaaaaaa f7e1 d1ea } // n = 4, score = 300 // 8d4a02 | dec eax // b8abaaaaaa | mov eax, dword ptr [esp + 0xa0] // f7e1 | dec eax // d1ea | mov dword ptr [esp + 0x20], eax $sequence_9 = { ffc8 747a ffc8 7461 83e802 } // n = 5, score = 300 // ffc8 | test ebx, ebx // 747a | mov byte ptr [ebp - 1], 1 // ffc8 | test edi, edi // 7461 | jne 0xeb // 83e802 | push edx condition: 7 of them and filesize < 802816 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY