There is no description at this point.
rule win_conficker_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff7508 ff15???????? 59 59 85c0 7511 ff7508 } // n = 7, score = 300 // ff7508 | push dword ptr [ebp + 8] // ff15???????? | // 59 | pop ecx // 59 | pop ecx // 85c0 | test eax, eax // 7511 | jne 0x13 // ff7508 | push dword ptr [ebp + 8] $sequence_1 = { 8b4804 53 8b18 57 33ff 397d10 7e38 } // n = 7, score = 300 // 8b4804 | mov ecx, dword ptr [eax + 4] // 53 | push ebx // 8b18 | mov ebx, dword ptr [eax] // 57 | push edi // 33ff | xor edi, edi // 397d10 | cmp dword ptr [ebp + 0x10], edi // 7e38 | jle 0x3a $sequence_2 = { f2ae 61 7502 4a 4a 3c09 } // n = 6, score = 300 // f2ae | repne scasb al, byte ptr es:[edi] // 61 | popal // 7502 | jne 4 // 4a | dec edx // 4a | dec edx // 3c09 | cmp al, 9 $sequence_3 = { 7513 68e8030000 ff15???????? 46 83fe14 } // n = 5, score = 300 // 7513 | jne 0x15 // 68e8030000 | push 0x3e8 // ff15???????? | // 46 | inc esi // 83fe14 | cmp esi, 0x14 $sequence_4 = { d9e0 dec1 dc45e0 dc4df0 } // n = 4, score = 300 // d9e0 | fchs // dec1 | faddp st(1) // dc45e0 | fadd qword ptr [ebp - 0x20] // dc4df0 | fmul qword ptr [ebp - 0x10] $sequence_5 = { 8a47ff 240f 3c0c 7503 5a f7d2 } // n = 6, score = 300 // 8a47ff | mov al, byte ptr [edi - 1] // 240f | and al, 0xf // 3c0c | cmp al, 0xc // 7503 | jne 5 // 5a | pop edx // f7d2 | not edx $sequence_6 = { 2175fc df6df8 8365f800 894dfc 2175fc d9e0 } // n = 6, score = 300 // 2175fc | and dword ptr [ebp - 4], esi // df6df8 | fild qword ptr [ebp - 8] // 8365f800 | and dword ptr [ebp - 8], 0 // 894dfc | mov dword ptr [ebp - 4], ecx // 2175fc | and dword ptr [ebp - 4], esi // d9e0 | fchs $sequence_7 = { ff4508 817d0800010000 7ccc 5f 5e } // n = 5, score = 300 // ff4508 | inc dword ptr [ebp + 8] // 817d0800010000 | cmp dword ptr [ebp + 8], 0x100 // 7ccc | jl 0xffffffce // 5f | pop edi // 5e | pop esi $sequence_8 = { b067 f2ae 61 7509 80ea03 } // n = 5, score = 300 // b067 | mov al, 0x67 // f2ae | repne scasb al, byte ptr es:[edi] // 61 | popal // 7509 | jne 0xb // 80ea03 | sub dl, 3 $sequence_9 = { 8b742408 8bd0 c1ea05 8b1496 8bc8 } // n = 5, score = 300 // 8b742408 | mov esi, dword ptr [esp + 8] // 8bd0 | mov edx, eax // c1ea05 | shr edx, 5 // 8b1496 | mov edx, dword ptr [esi + edx*4] // 8bc8 | mov ecx, eax condition: 7 of them and filesize < 335872 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY