Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.daserf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8945cc ff15???????? 8945d0 8d45b4 } // n = 4, score = 100 // 8945cc | mov dword ptr [ebp - 0x34], eax // ff15???????? | // 8945d0 | mov dword ptr [ebp - 0x30], eax // 8d45b4 | lea eax, [ebp - 0x4c] $sequence_1 = { b808380000 e8???????? 53 56 } // n = 4, score = 100 // b808380000 | mov eax, 0x3808 // e8???????? | // 53 | push ebx // 56 | push esi $sequence_2 = { 81eb7ee5b031 81c30d782341 81c3db5d1091 81eb73ad763b 054ce1128c 81c3cc3c3014 } // n = 6, score = 100 // 81eb7ee5b031 | sub ebx, 0x31b0e57e // 81c30d782341 | add ebx, 0x4123780d // 81c3db5d1091 | add ebx, 0x91105ddb // 81eb73ad763b | sub ebx, 0x3b76ad73 // 054ce1128c | add eax, 0x8c12e14c // 81c3cc3c3014 | add ebx, 0x14303ccc $sequence_3 = { 81c3ad482863 81eb8c570d21 2d21583cc4 2da932ed1b 81c3f8ff2857 81eb46159323 } // n = 6, score = 100 // 81c3ad482863 | add ebx, 0x632848ad // 81eb8c570d21 | sub ebx, 0x210d578c // 2d21583cc4 | sub eax, 0xc43c5821 // 2da932ed1b | sub eax, 0x1bed32a9 // 81c3f8ff2857 | add ebx, 0x5728fff8 // 81eb46159323 | sub ebx, 0x23931546 $sequence_4 = { 81eb4e0e3377 87c0 81ebfb04024c 87ff 2dfaa67876 } // n = 5, score = 100 // 81eb4e0e3377 | sub ebx, 0x77330e4e // 87c0 | xchg eax, eax // 81ebfb04024c | sub ebx, 0x4c0204fb // 87ff | xchg edi, edi // 2dfaa67876 | sub eax, 0x7678a6fa $sequence_5 = { 81c394c7d041 81eb6afed62a 81c3bed1834b 81eb826387e9 81c3d7e98170 2d844df6b2 } // n = 6, score = 100 // 81c394c7d041 | add ebx, 0x41d0c794 // 81eb6afed62a | sub ebx, 0x2ad6fe6a // 81c3bed1834b | add ebx, 0x4b83d1be // 81eb826387e9 | sub ebx, 0xe9876382 // 81c3d7e98170 | add ebx, 0x7081e9d7 // 2d844df6b2 | sub eax, 0xb2f64d84 $sequence_6 = { 50 ffd6 ffb56814ffff 8d85bc4fffff 50 } // n = 5, score = 100 // 50 | push eax // ffd6 | call esi // ffb56814ffff | push dword ptr [ebp - 0xeb98] // 8d85bc4fffff | lea eax, [ebp - 0xb044] // 50 | push eax $sequence_7 = { 2d4936916d f7d1 f7d1 2d99d06187 f7d1 f7d1 } // n = 6, score = 100 // 2d4936916d | sub eax, 0x6d913649 // f7d1 | not ecx // f7d1 | not ecx // 2d99d06187 | sub eax, 0x8761d099 // f7d1 | not ecx // f7d1 | not ecx $sequence_8 = { 8bc9 81c3c9920a05 95 89ac2400f2ffff } // n = 4, score = 100 // 8bc9 | mov ecx, ecx // 81c3c9920a05 | add ebx, 0x50a92c9 // 95 | xchg eax, ebp // 89ac2400f2ffff | mov dword ptr [esp - 0xe00], ebp $sequence_9 = { 7500 81c3e109e0f6 8bc0 0537d68276 9b 81c38da225f6 87c9 } // n = 7, score = 100 // 7500 | jne 2 // 81c3e109e0f6 | add ebx, 0xf6e009e1 // 8bc0 | mov eax, eax // 0537d68276 | add eax, 0x7682d637 // 9b | wait // 81c38da225f6 | add ebx, 0xf625a28d // 87c9 | xchg ecx, ecx $sequence_10 = { eb0e ff75fc ffd7 3bf3 7403 56 } // n = 6, score = 100 // eb0e | jmp 0x10 // ff75fc | push dword ptr [ebp - 4] // ffd7 | call edi // 3bf3 | cmp esi, ebx // 7403 | je 5 // 56 | push esi $sequence_11 = { 81c327f27a10 7500 81ebc884a519 7500 81eb3a0de80d 87db 81c3b119330a } // n = 7, score = 100 // 81c327f27a10 | add ebx, 0x107af227 // 7500 | jne 2 // 81ebc884a519 | sub ebx, 0x19a584c8 // 7500 | jne 2 // 81eb3a0de80d | sub ebx, 0xde80d3a // 87db | xchg ebx, ebx // 81c3b119330a | add ebx, 0xa3319b1 $sequence_12 = { 2d4abc1884 90 2dea9bf526 7500 } // n = 4, score = 100 // 2d4abc1884 | sub eax, 0x8418bc4a // 90 | nop // 2dea9bf526 | sub eax, 0x26f59bea // 7500 | jne 2 $sequence_13 = { 81ebf74ea63a f7d1 f7d1 81eb199760ae 9b } // n = 5, score = 100 // 81ebf74ea63a | sub ebx, 0x3aa64ef7 // f7d1 | not ecx // f7d1 | not ecx // 81eb199760ae | sub ebx, 0xae609719 // 9b | wait $sequence_14 = { 2d966cdd4c 2d81c26ac5 81c32b73f252 81c32bef6e96 81c3b4dacce0 } // n = 5, score = 100 // 2d966cdd4c | sub eax, 0x4cdd6c96 // 2d81c26ac5 | sub eax, 0xc56ac281 // 81c32b73f252 | add ebx, 0x52f2732b // 81c32bef6e96 | add ebx, 0x966eef2b // 81c3b4dacce0 | add ebx, 0xe0ccdab4 $sequence_15 = { 81eb075e2ddb 9b 81c35a11e727 97 89bc2440f5ffff } // n = 5, score = 100 // 81eb075e2ddb | sub ebx, 0xdb2d5e07 // 9b | wait // 81c35a11e727 | add ebx, 0x27e7115a // 97 | xchg eax, edi // 89bc2440f5ffff | mov dword ptr [esp - 0xac0], edi condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY