There is no description at this point.
rule win_cicada3301_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cicada3301." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cicada3301" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f30fbcd2 4801ca 4821fa 41807c150000 0f88ecfeffff 66410f6f4500 660fd7c8 } // n = 7, score = 100 // f30fbcd2 | mov byte ptr [esp + 0x1a4], 1 // 4801ca | mov byte ptr [esp + 0x1a3], 1 // 4821fa | movdqu xmmword ptr [esp + 0x90], xmm0 // 41807c150000 | dec eax // 0f88ecfeffff | mov dword ptr [esp + 0xd0], 4 // 66410f6f4500 | dec esp // 660fd7c8 | mov dword ptr [esp + 0x80], esp $sequence_1 = { e8???????? 85c0 0f84d9090000 4c89e1 e8???????? e9???????? 4c89742448 } // n = 7, score = 100 // e8???????? | // 85c0 | je 0x63 // 0f84d9090000 | inc ecx // 4c89e1 | mov eax, dword ptr [esi + 0x3c] // e8???????? | // e9???????? | // 4c89742448 | mov dword ptr [ebp + 0x28], eax $sequence_2 = { e8???????? 4889f9 4889f2 4989d8 e8???????? eb7b 0f10842490040000 } // n = 7, score = 100 // e8???????? | // 4889f9 | shr eax, 0x39 // 4889f2 | movd xmm0, eax // 4989d8 | punpcklbw xmm0, xmm0 // e8???????? | // eb7b | pshuflw xmm0, xmm0, 0 // 0f10842490040000 | dec eax $sequence_3 = { f3440f6f0438 66410f6fc0 660f74c7 66440fd7f0 4585f6 7533 66440f74c6 } // n = 7, score = 100 // f3440f6f0438 | subps xmm2, xmm0 // 66410f6fc0 | dec eax // 660f74c7 | inc ecx // 66440fd7f0 | movaps xmm0, xmm1 // 4585f6 | inc esp // 7533 | cvtpi2ps xmm2, mm1 // 66440f74c6 | inc esp $sequence_4 = { f390 83c1f8 75eb 83e005 74ab 660f1f440000 f390 } // n = 7, score = 100 // f390 | paddd xmm6, xmm0 // 83c1f8 | inc cx // 75eb | pxor mm6, mm4 // 83e005 | inc sp // 74ab | paddd mm0, mm3 // 660f1f440000 | inc bp // f390 | pxor mm0, mm3 $sequence_5 = { bad0010000 480f44d7 41b808000000 e8???????? 488b9660010000 4889d8 4889f1 } // n = 7, score = 100 // bad0010000 | dec eax // 480f44d7 | lea eax, [0x2470e5] // 41b808000000 | mov edx, 0x1e // e8???????? | // 488b9660010000 | pop ebp // 4889d8 | ret // 4889f1 | mov edx, 0x24 $sequence_6 = { f3420f6f0c0f f3410f6f10 660f6fda 660f60d8 660f70db4e f20f70db1b f30f70db1b } // n = 7, score = 100 // f3420f6f0c0f | bsf eax, eax // f3410f6f10 | inc esp // 660f6fda | add edx, eax // 660f60d8 | inc ecx // 660f70db4e | mov al, 0x80 // f20f70db1b | inc ecx // f30f70db1b | movq mm0, qword ptr [eax + eax] $sequence_7 = { f3410f7e10 660f60d0 660f70d24e f20f70d21b f30f70d21b 660f67d2 660fd61413 } // n = 7, score = 100 // f3410f7e10 | movups xmmword ptr [esi], xmm0 // 660f60d0 | dec eax // 660f70d24e | mov dword ptr [esi + 0x10], ebx // f20f70d21b | movaps xmm0, xmmword ptr [esp + 0x110] // f30f70d21b | movups xmmword ptr [esi + 0x18], xmm0 // 660f67d2 | movdqu xmmword ptr [esi + 0x28], xmm7 // 660fd61413 | movups xmmword ptr [esi + 0x38], xmm1 $sequence_8 = { f3450f58c0 f3440f5ec6 f3440f59c1 f3440f5cc7 ffc1 0f28f9 410f28c8 } // n = 7, score = 100 // f3450f58c0 | test edi, edi // f3440f5ec6 | jne 0x2e0 // f3440f59c1 | inc sp // f3440f5cc7 | pcmpeqb mm0, mm6 // ffc1 | inc esp // 0f28f9 | movq mm0, qword ptr [edi + ebx] // 410f28c8 | inc cx $sequence_9 = { e9???????? 89f0 31d2 41f7f6 4885d2 741e bf02000000 } // n = 7, score = 100 // e9???????? | // 89f0 | cmp dword ptr [esp + 0x118], 0x19 // 31d2 | jne 0x27b // 41f7f6 | inc ecx // 4885d2 | cmp byte ptr [edi + 0xc3], 0 // 741e | je 0x2eb // bf02000000 | dec eax condition: 7 of them and filesize < 11247616 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY