There is no description at this point.
rule win_confucius_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.confucius." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7434 3d91010000 7411 8a8f2a010000 84c9 7423 3d2c010000 } // n = 7, score = 100 // 7434 | je 0x36 // 3d91010000 | cmp eax, 0x191 // 7411 | je 0x13 // 8a8f2a010000 | mov cl, byte ptr [edi + 0x12a] // 84c9 | test cl, cl // 7423 | je 0x25 // 3d2c010000 | cmp eax, 0x12c $sequence_1 = { 50 e9???????? 8bb424cc020000 6a00 85f6 0f95c1 41 } // n = 7, score = 100 // 50 | push eax // e9???????? | // 8bb424cc020000 | mov esi, dword ptr [esp + 0x2cc] // 6a00 | push 0 // 85f6 | test esi, esi // 0f95c1 | setne cl // 41 | inc ecx $sequence_2 = { 83c404 85c0 0f85c4feffff 8b7c2414 8b4c2420 0fbe01 83c0bb } // n = 7, score = 100 // 83c404 | add esp, 4 // 85c0 | test eax, eax // 0f85c4feffff | jne 0xfffffeca // 8b7c2414 | mov edi, dword ptr [esp + 0x14] // 8b4c2420 | mov ecx, dword ptr [esp + 0x20] // 0fbe01 | movsx eax, byte ptr [ecx] // 83c0bb | add eax, -0x45 $sequence_3 = { 83c444 8d442444 50 e8???????? 50 68???????? 8d4c2414 } // n = 7, score = 100 // 83c444 | add esp, 0x44 // 8d442444 | lea eax, [esp + 0x44] // 50 | push eax // e8???????? | // 50 | push eax // 68???????? | // 8d4c2414 | lea ecx, [esp + 0x14] $sequence_4 = { c1eb05 8945e4 2bf7 eb3e 8305????????ff 8315????????ff 781b } // n = 7, score = 100 // c1eb05 | shr ebx, 5 // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 2bf7 | sub esi, edi // eb3e | jmp 0x40 // 8305????????ff | // 8315????????ff | // 781b | js 0x1d $sequence_5 = { 53 56 bf???????? e8???????? 83c408 85c0 7570 } // n = 7, score = 100 // 53 | push ebx // 56 | push esi // bf???????? | // e8???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax // 7570 | jne 0x72 $sequence_6 = { 2905???????? 1915???????? e9???????? 55 6800200000 56 57 } // n = 7, score = 100 // 2905???????? | // 1915???????? | // e9???????? | // 55 | push ebp // 6800200000 | push 0x2000 // 56 | push esi // 57 | push edi $sequence_7 = { 7409 8d45f4 50 e8???????? 807d0f00 740b 8d45e4 } // n = 7, score = 100 // 7409 | je 0xb // 8d45f4 | lea eax, [ebp - 0xc] // 50 | push eax // e8???????? | // 807d0f00 | cmp byte ptr [ebp + 0xf], 0 // 740b | je 0xd // 8d45e4 | lea eax, [ebp - 0x1c] $sequence_8 = { 51 e8???????? 68???????? c7874001000000000000 55 c6851885000001 e8???????? } // n = 7, score = 100 // 51 | push ecx // e8???????? | // 68???????? | // c7874001000000000000 | mov dword ptr [edi + 0x140], 0 // 55 | push ebp // c6851885000001 | mov byte ptr [ebp + 0x8518], 1 // e8???????? | $sequence_9 = { a2???????? 8a45d6 a2???????? 8a45d7 a2???????? 56 8d45d8 } // n = 7, score = 100 // a2???????? | // 8a45d6 | mov al, byte ptr [ebp - 0x2a] // a2???????? | // 8a45d7 | mov al, byte ptr [ebp - 0x29] // a2???????? | // 56 | push esi // 8d45d8 | lea eax, [ebp - 0x28] $sequence_10 = { 6a01 ff10 8325????????00 e8???????? a1???????? 8b38 033d???????? } // n = 7, score = 100 // 6a01 | push 1 // ff10 | call dword ptr [eax] // 8325????????00 | // e8???????? | // a1???????? | // 8b38 | mov edi, dword ptr [eax] // 033d???????? | $sequence_11 = { 49 83f907 0f8685000000 8bfd 83c9ff f2ae f7d1 } // n = 7, score = 100 // 49 | dec ecx // 83f907 | cmp ecx, 7 // 0f8685000000 | jbe 0x8b // 8bfd | mov edi, ebp // 83c9ff | or ecx, 0xffffffff // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx $sequence_12 = { 3bc8 0f8500010000 8b866c850000 3bc2 0f85f2000000 6a05 56 } // n = 7, score = 100 // 3bc8 | cmp ecx, eax // 0f8500010000 | jne 0x106 // 8b866c850000 | mov eax, dword ptr [esi + 0x856c] // 3bc2 | cmp eax, edx // 0f85f2000000 | jne 0xf8 // 6a05 | push 5 // 56 | push esi $sequence_13 = { 663b4548 1bdb 83e346 83c30b eb2a 3bfe 7509 } // n = 7, score = 100 // 663b4548 | cmp ax, word ptr [ebp + 0x48] // 1bdb | sbb ebx, ebx // 83e346 | and ebx, 0x46 // 83c30b | add ebx, 0xb // eb2a | jmp 0x2c // 3bfe | cmp edi, esi // 7509 | jne 0xb $sequence_14 = { 750c c705????????581b0000 eb15 33c0 384508 0f94c0 48 } // n = 7, score = 100 // 750c | jne 0xe // c705????????581b0000 | // eb15 | jmp 0x17 // 33c0 | xor eax, eax // 384508 | cmp byte ptr [ebp + 8], al // 0f94c0 | sete al // 48 | dec eax $sequence_15 = { c20400 55 8bec 81ec08080000 53 33db 381d???????? } // n = 7, score = 100 // c20400 | ret 4 // 55 | push ebp // 8bec | mov ebp, esp // 81ec08080000 | sub esp, 0x808 // 53 | push ebx // 33db | xor ebx, ebx // 381d???????? | condition: 7 of them and filesize < 598016 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY