There is no description at this point.
rule win_conficker_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.conficker." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7502 4a 4a 3c09 740d 2c05 } // n = 6, score = 300 // 7502 | jne 4 // 4a | dec edx // 4a | dec edx // 3c09 | cmp al, 9 // 740d | je 0xf // 2c05 | sub al, 5 $sequence_1 = { 8bd1 81e2ffff0000 40 81fac0a80000 7413 80f90a } // n = 6, score = 300 // 8bd1 | mov edx, ecx // 81e2ffff0000 | and edx, 0xffff // 40 | inc eax // 81fac0a80000 | cmp edx, 0xa8c0 // 7413 | je 0x15 // 80f90a | cmp cl, 0xa $sequence_2 = { ebe4 f60638 75a8 b008 d0ef 1400 } // n = 6, score = 300 // ebe4 | jmp 0xffffffe6 // f60638 | test byte ptr [esi], 0x38 // 75a8 | jne 0xffffffaa // b008 | mov al, 8 // d0ef | shr bh, 1 // 1400 | adc al, 0 $sequence_3 = { 51 51 56 57 ff15???????? 8bf0 ff15???????? } // n = 7, score = 300 // 51 | push ecx // 51 | push ecx // 56 | push esi // 57 | push edi // ff15???????? | // 8bf0 | mov esi, eax // ff15???????? | $sequence_4 = { 47 3b7d10 7cca 5e } // n = 4, score = 300 // 47 | inc edi // 3b7d10 | cmp edi, dword ptr [ebp + 0x10] // 7cca | jl 0xffffffcc // 5e | pop esi $sequence_5 = { 7209 770e 49 79f1 } // n = 4, score = 300 // 7209 | jb 0xb // 770e | ja 0x10 // 49 | dec ecx // 79f1 | jns 0xfffffff3 $sequence_6 = { e8???????? 8bd0 83c410 85d2 0f8c9c000000 } // n = 5, score = 300 // e8???????? | // 8bd0 | mov edx, eax // 83c410 | add esp, 0x10 // 85d2 | test edx, edx // 0f8c9c000000 | jl 0xa2 $sequence_7 = { 894dfc 2175fc d9e0 23cf dec1 8945e8 894dec } // n = 7, score = 300 // 894dfc | mov dword ptr [ebp - 4], ecx // 2175fc | and dword ptr [ebp - 4], esi // d9e0 | fchs // 23cf | and ecx, edi // dec1 | faddp st(1) // 8945e8 | mov dword ptr [ebp - 0x18], eax // 894dec | mov dword ptr [ebp - 0x14], ecx $sequence_8 = { 3c01 74db 81c751000000 3c0a 74d4 8b7d24 } // n = 6, score = 300 // 3c01 | cmp al, 1 // 74db | je 0xffffffdd // 81c751000000 | add edi, 0x51 // 3c0a | cmp al, 0xa // 74d4 | je 0xffffffd6 // 8b7d24 | mov edi, dword ptr [ebp + 0x24] $sequence_9 = { 3b7510 891f 894c9008 7c02 33f6 } // n = 5, score = 300 // 3b7510 | cmp esi, dword ptr [ebp + 0x10] // 891f | mov dword ptr [edi], ebx // 894c9008 | mov dword ptr [eax + edx*4 + 8], ecx // 7c02 | jl 4 // 33f6 | xor esi, esi condition: 7 of them and filesize < 335872 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY