There is no description at this point.
rule win_cinobi_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.cinobi." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c9 c3 55 8bec 51 e8???????? 58 } // n = 7, score = 200 // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 51 | push ecx // e8???????? | // 58 | pop eax $sequence_1 = { 8845df 8b45bc 8a400c 8845e0 } // n = 4, score = 100 // 8845df | mov byte ptr [ebp - 0x21], al // 8b45bc | mov eax, dword ptr [ebp - 0x44] // 8a400c | mov al, byte ptr [eax + 0xc] // 8845e0 | mov byte ptr [ebp - 0x20], al $sequence_2 = { 0f8554010000 6a04 58 8b4df4 } // n = 4, score = 100 // 0f8554010000 | jne 0x15a // 6a04 | push 4 // 58 | pop eax // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] $sequence_3 = { 33c0 66898588faffff 8b85a8faffff 660fbe4008 66898584f5ffff 8b85a8faffff 660fbe4020 } // n = 7, score = 100 // 33c0 | xor eax, eax // 66898588faffff | mov word ptr [ebp - 0x578], ax // 8b85a8faffff | mov eax, dword ptr [ebp - 0x558] // 660fbe4008 | movsx ax, byte ptr [eax + 8] // 66898584f5ffff | mov word ptr [ebp - 0xa7c], ax // 8b85a8faffff | mov eax, dword ptr [ebp - 0x558] // 660fbe4020 | movsx ax, byte ptr [eax + 0x20] $sequence_4 = { e8???????? 59 59 84c0 751e 6810270000 } // n = 6, score = 100 // e8???????? | // 59 | pop ecx // 59 | pop ecx // 84c0 | test al, al // 751e | jne 0x20 // 6810270000 | push 0x2710 $sequence_5 = { 8a4642 88842456010000 8a4647 88842457010000 8a4646 88842458010000 } // n = 6, score = 100 // 8a4642 | mov al, byte ptr [esi + 0x42] // 88842456010000 | mov byte ptr [esp + 0x156], al // 8a4647 | mov al, byte ptr [esi + 0x47] // 88842457010000 | mov byte ptr [esp + 0x157], al // 8a4646 | mov al, byte ptr [esi + 0x46] // 88842458010000 | mov byte ptr [esp + 0x158], al $sequence_6 = { 8b45f8 8b75f4 83c0f0 50 } // n = 4, score = 100 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b75f4 | mov esi, dword ptr [ebp - 0xc] // 83c0f0 | add eax, -0x10 // 50 | push eax $sequence_7 = { ff705f 8b45c0 ffb0b7000000 ff75dc } // n = 4, score = 100 // ff705f | push dword ptr [eax + 0x5f] // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // ffb0b7000000 | push dword ptr [eax + 0xb7] // ff75dc | push dword ptr [ebp - 0x24] $sequence_8 = { 8b45c0 ff705f 8b45c0 ffb09f000000 ff75dc e8???????? 83c40c } // n = 7, score = 100 // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // ff705f | push dword ptr [eax + 0x5f] // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // ffb09f000000 | push dword ptr [eax + 0x9f] // ff75dc | push dword ptr [ebp - 0x24] // e8???????? | // 83c40c | add esp, 0xc $sequence_9 = { 2402 88460e b001 5f 5b } // n = 5, score = 100 // 2402 | and al, 2 // 88460e | mov byte ptr [esi + 0xe], al // b001 | mov al, 1 // 5f | pop edi // 5b | pop ebx $sequence_10 = { 6880000000 ff7508 8b45f8 ff5073 ff7508 8b45f8 } // n = 6, score = 100 // 6880000000 | push 0x80 // ff7508 | push dword ptr [ebp + 8] // 8b45f8 | mov eax, dword ptr [ebp - 8] // ff5073 | call dword ptr [eax + 0x73] // ff7508 | push dword ptr [ebp + 8] // 8b45f8 | mov eax, dword ptr [ebp - 8] $sequence_11 = { 8b45bc 8a4053 8845f7 8b45bc 8a400c 8845f8 } // n = 6, score = 100 // 8b45bc | mov eax, dword ptr [ebp - 0x44] // 8a4053 | mov al, byte ptr [eax + 0x53] // 8845f7 | mov byte ptr [ebp - 9], al // 8b45bc | mov eax, dword ptr [ebp - 0x44] // 8a400c | mov al, byte ptr [eax + 0xc] // 8845f8 | mov byte ptr [ebp - 8], al $sequence_12 = { 57 6800100000 ff75f8 ff75f0 ff9303010000 } // n = 5, score = 100 // 57 | push edi // 6800100000 | push 0x1000 // ff75f8 | push dword ptr [ebp - 8] // ff75f0 | push dword ptr [ebp - 0x10] // ff9303010000 | call dword ptr [ebx + 0x103] $sequence_13 = { 885de0 8a5823 884de9 8a4839 885de1 8a581d 884dea } // n = 7, score = 100 // 885de0 | mov byte ptr [ebp - 0x20], bl // 8a5823 | mov bl, byte ptr [eax + 0x23] // 884de9 | mov byte ptr [ebp - 0x17], cl // 8a4839 | mov cl, byte ptr [eax + 0x39] // 885de1 | mov byte ptr [ebp - 0x1f], bl // 8a581d | mov bl, byte ptr [eax + 0x1d] // 884dea | mov byte ptr [ebp - 0x16], cl $sequence_14 = { 8b85a8faffff 660fbe4003 668945ba 8b85a8faffff 660fbe4013 } // n = 5, score = 100 // 8b85a8faffff | mov eax, dword ptr [ebp - 0x558] // 660fbe4003 | movsx ax, byte ptr [eax + 3] // 668945ba | mov word ptr [ebp - 0x46], ax // 8b85a8faffff | mov eax, dword ptr [ebp - 0x558] // 660fbe4013 | movsx ax, byte ptr [eax + 0x13] condition: 7 of them and filesize < 32768 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY