Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.daserf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 68???????? 8d85dccfffff 50 8b35???????? ffd6 } // n = 5, score = 100 // 68???????? | // 8d85dccfffff | lea eax, [ebp - 0x3024] // 50 | push eax // 8b35???????? | // ffd6 | call esi $sequence_1 = { 8b842440f3ffff 81c333498833 8bdb 81c3ff14e0af 7500 81c37ba0afab f7d7 } // n = 7, score = 100 // 8b842440f3ffff | mov eax, dword ptr [esp - 0xcc0] // 81c333498833 | add ebx, 0x33884933 // 8bdb | mov ebx, ebx // 81c3ff14e0af | add ebx, 0xafe014ff // 7500 | jne 2 // 81c37ba0afab | add ebx, 0xabafa07b // f7d7 | not edi $sequence_2 = { 899c2420f4ffff 8bd8 8b842420f4ffff 81c388f110b7 8bc0 } // n = 5, score = 100 // 899c2420f4ffff | mov dword ptr [esp - 0xbe0], ebx // 8bd8 | mov ebx, eax // 8b842420f4ffff | mov eax, dword ptr [esp - 0xbe0] // 81c388f110b7 | add ebx, 0xb710f188 // 8bc0 | mov eax, eax $sequence_3 = { 057b491060 81ebbd9a8d1d 81ebe03c5af4 81eb47b5cea5 81eb53f193e1 } // n = 5, score = 100 // 057b491060 | add eax, 0x6010497b // 81ebbd9a8d1d | sub ebx, 0x1d8d9abd // 81ebe03c5af4 | sub ebx, 0xf45a3ce0 // 81eb47b5cea5 | sub ebx, 0xa5ceb547 // 81eb53f193e1 | sub ebx, 0xe193f153 $sequence_4 = { e9???????? 2dc9036315 e9???????? 81ebe6c71481 87d2 2d5f3afb49 } // n = 6, score = 100 // e9???????? | // 2dc9036315 | sub eax, 0x156303c9 // e9???????? | // 81ebe6c71481 | sub ebx, 0x8114c7e6 // 87d2 | xchg edx, edx // 2d5f3afb49 | sub eax, 0x49fb3a5f $sequence_5 = { 81c3cc3c3014 81ebf5cf155e 2da3aa429d 81c3ee310d48 } // n = 4, score = 100 // 81c3cc3c3014 | add ebx, 0x14303ccc // 81ebf5cf155e | sub ebx, 0x5e15cff5 // 2da3aa429d | sub eax, 0x9d42aaa3 // 81c3ee310d48 | add ebx, 0x480d31ee $sequence_6 = { 8d45fc 90 6a00 95 89ac2400f2ffff 8be8 8b842400f2ffff } // n = 7, score = 100 // 8d45fc | lea eax, [ebp - 4] // 90 | nop // 6a00 | push 0 // 95 | xchg eax, ebp // 89ac2400f2ffff | mov dword ptr [esp - 0xe00], ebp // 8be8 | mov ebp, eax // 8b842400f2ffff | mov eax, dword ptr [esp - 0xe00] $sequence_7 = { f7d1 81eb6a892938 8d00 2deadbabc4 9b 0517d5bc9d } // n = 6, score = 100 // f7d1 | not ecx // 81eb6a892938 | sub ebx, 0x3829896a // 8d00 | lea eax, [eax] // 2deadbabc4 | sub eax, 0xc4abdbea // 9b | wait // 0517d5bc9d | add eax, 0x9dbcd517 $sequence_8 = { 8b842430f1ffff 81c389eaec01 7500 81eb58d4b1b9 8bc9 } // n = 5, score = 100 // 8b842430f1ffff | mov eax, dword ptr [esp - 0xed0] // 81c389eaec01 | add ebx, 0x1ecea89 // 7500 | jne 2 // 81eb58d4b1b9 | sub ebx, 0xb9b1d458 // 8bc9 | mov ecx, ecx $sequence_9 = { 81eb76322a2c 2d31853faa 81eb62173d6e 2da24df472 81ebbaa457d6 81c3161ade8a } // n = 6, score = 100 // 81eb76322a2c | sub ebx, 0x2c2a3276 // 2d31853faa | sub eax, 0xaa3f8531 // 81eb62173d6e | sub ebx, 0x6e3d1762 // 2da24df472 | sub eax, 0x72f44da2 // 81ebbaa457d6 | sub ebx, 0xd657a4ba // 81c3161ade8a | add ebx, 0x8ade1a16 $sequence_10 = { 8945e0 8d8568efffff 50 ffd7 8d8568efffff 68???????? } // n = 6, score = 100 // 8945e0 | mov dword ptr [ebp - 0x20], eax // 8d8568efffff | lea eax, [ebp - 0x1098] // 50 | push eax // ffd7 | call edi // 8d8568efffff | lea eax, [ebp - 0x1098] // 68???????? | $sequence_11 = { 53 51 50 ff75fc 56 ff15???????? } // n = 6, score = 100 // 53 | push ebx // 51 | push ecx // 50 | push eax // ff75fc | push dword ptr [ebp - 4] // 56 | push esi // ff15???????? | $sequence_12 = { 50 7542 68???????? eb40 8d45ec } // n = 5, score = 100 // 50 | push eax // 7542 | jne 0x44 // 68???????? | // eb40 | jmp 0x42 // 8d45ec | lea eax, [ebp - 0x14] $sequence_13 = { 8d36 053a51eeaa f7d3 f7d3 81c3829a7887 } // n = 5, score = 100 // 8d36 | lea esi, [esi] // 053a51eeaa | add eax, 0xaaee513a // f7d3 | not ebx // f7d3 | not ebx // 81c3829a7887 | add ebx, 0x87789a82 $sequence_14 = { 81c3ec0e650c 05442ce0e8 052ef19f14 2dec0a99d5 81c3727fae60 053106bd10 } // n = 6, score = 100 // 81c3ec0e650c | add ebx, 0xc650eec // 05442ce0e8 | add eax, 0xe8e02c44 // 052ef19f14 | add eax, 0x149ff12e // 2dec0a99d5 | sub eax, 0xd5990aec // 81c3727fae60 | add ebx, 0x60ae7f72 // 053106bd10 | add eax, 0x10bd0631 $sequence_15 = { 899c2420f5ffff 8bd8 8b842420f5ffff 2d791619bf 7500 81eb260de893 95 } // n = 7, score = 100 // 899c2420f5ffff | mov dword ptr [esp - 0xae0], ebx // 8bd8 | mov ebx, eax // 8b842420f5ffff | mov eax, dword ptr [esp - 0xae0] // 2d791619bf | sub eax, 0xbf191679 // 7500 | jne 2 // 81eb260de893 | sub ebx, 0x93e80d26 // 95 | xchg eax, ebp condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY