Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 05a7219db8 0553dccba5 81eb1263da55 81eb5352c6d6 2d40306f35 2d006acb4b 81c31939738c } // n = 7, score = 100 // 05a7219db8 | add eax, 0xb89d21a7 // 0553dccba5 | add eax, 0xa5cbdc53 // 81eb1263da55 | sub ebx, 0x55da6312 // 81eb5352c6d6 | sub ebx, 0xd6c65253 // 2d40306f35 | sub eax, 0x356f3040 // 2d006acb4b | sub eax, 0x4bcb6a00 // 81c31939738c | add ebx, 0x8c733919 $sequence_1 = { 2dc037d40f 050816e86d 2da352f187 81ebea7db77f } // n = 4, score = 100 // 2dc037d40f | sub eax, 0xfd437c0 // 050816e86d | add eax, 0x6de81608 // 2da352f187 | sub eax, 0x87f152a3 // 81ebea7db77f | sub ebx, 0x7fb77dea $sequence_2 = { 05c1bdf63c 2dd0891176 2df36ad2d7 0528f19584 052e6d711c 81c3b333bd49 } // n = 6, score = 100 // 05c1bdf63c | add eax, 0x3cf6bdc1 // 2dd0891176 | sub eax, 0x761189d0 // 2df36ad2d7 | sub eax, 0xd7d26af3 // 0528f19584 | add eax, 0x8495f128 // 052e6d711c | add eax, 0x1c716d2e // 81c3b333bd49 | add ebx, 0x49bd33b3 $sequence_3 = { 81c37508bc5f 8d36 05f0e03df5 f7d1 f7d1 81c36003e51c 9b } // n = 7, score = 100 // 81c37508bc5f | add ebx, 0x5fbc0875 // 8d36 | lea esi, [esi] // 05f0e03df5 | add eax, 0xf53de0f0 // f7d1 | not ecx // f7d1 | not ecx // 81c36003e51c | add ebx, 0x1ce50360 // 9b | wait $sequence_4 = { 81c3d6659b48 81eb3e24cc02 05bb9b4196 81eb944686e1 81eb84d90d01 } // n = 5, score = 100 // 81c3d6659b48 | add ebx, 0x489b65d6 // 81eb3e24cc02 | sub ebx, 0x2cc243e // 05bb9b4196 | add eax, 0x96419bbb // 81eb944686e1 | sub ebx, 0xe1864694 // 81eb84d90d01 | sub ebx, 0x10dd984 $sequence_5 = { 81c36e29911f 2da46f1d75 2de4acc3a1 81eb8e1bdfee 05ba268e1d } // n = 5, score = 100 // 81c36e29911f | add ebx, 0x1f91296e // 2da46f1d75 | sub eax, 0x751d6fa4 // 2de4acc3a1 | sub eax, 0xa1c3ace4 // 81eb8e1bdfee | sub ebx, 0xeedf1b8e // 05ba268e1d | add eax, 0x1d8e26ba $sequence_6 = { ff15???????? 3d00001800 7f52 8d4df8 } // n = 4, score = 100 // ff15???????? | // 3d00001800 | cmp eax, 0x180000 // 7f52 | jg 0x54 // 8d4df8 | lea ecx, [ebp - 8] $sequence_7 = { 05e62902ad f7d7 f7d7 81c359659207 9b 052b6840f2 9b } // n = 7, score = 100 // 05e62902ad | add eax, 0xad0229e6 // f7d7 | not edi // f7d7 | not edi // 81c359659207 | add ebx, 0x7926559 // 9b | wait // 052b6840f2 | add eax, 0xf240682b // 9b | wait $sequence_8 = { 054d03130d 8d09 81eb7264b6b3 8bf6 81c3696ebfab 8d1b } // n = 6, score = 100 // 054d03130d | add eax, 0xd13034d // 8d09 | lea ecx, [ecx] // 81eb7264b6b3 | sub ebx, 0xb3b66472 // 8bf6 | mov esi, esi // 81c3696ebfab | add ebx, 0xabbf6e69 // 8d1b | lea ebx, [ebx] $sequence_9 = { 91 898c2420f5ffff 8bc8 8b842420f5ffff 81eb46692dd4 90 } // n = 6, score = 100 // 91 | xchg eax, ecx // 898c2420f5ffff | mov dword ptr [esp - 0xae0], ecx // 8bc8 | mov ecx, eax // 8b842420f5ffff | mov eax, dword ptr [esp - 0xae0] // 81eb46692dd4 | sub ebx, 0xd42d6946 // 90 | nop $sequence_10 = { 81c33a0c7b7f 81c3b996ec35 2d4de4cd72 2d607c1f45 } // n = 4, score = 100 // 81c33a0c7b7f | add ebx, 0x7f7b0c3a // 81c3b996ec35 | add ebx, 0x35ec96b9 // 2d4de4cd72 | sub eax, 0x72cde44d // 2d607c1f45 | sub eax, 0x451f7c60 $sequence_11 = { f7d6 f7d6 2d3eaa1f60 90 2db8cf538f 8bc0 } // n = 6, score = 100 // f7d6 | not esi // f7d6 | not esi // 2d3eaa1f60 | sub eax, 0x601faa3e // 90 | nop // 2db8cf538f | sub eax, 0x8f53cfb8 // 8bc0 | mov eax, eax $sequence_12 = { 0508b0600b 90 89842440f5ffff 8bc0 8b842440f5ffff 0552185fbf } // n = 6, score = 100 // 0508b0600b | add eax, 0xb60b008 // 90 | nop // 89842440f5ffff | mov dword ptr [esp - 0xac0], eax // 8bc0 | mov eax, eax // 8b842440f5ffff | mov eax, dword ptr [esp - 0xac0] // 0552185fbf | add eax, 0xbf5f1852 $sequence_13 = { 56 8b35???????? 83c007 57 } // n = 4, score = 100 // 56 | push esi // 8b35???????? | // 83c007 | add eax, 7 // 57 | push edi $sequence_14 = { 8d3f 05309b0a52 90 81c3285861b0 9b 81eb78f231ca 8bd2 } // n = 7, score = 100 // 8d3f | lea edi, [edi] // 05309b0a52 | add eax, 0x520a9b30 // 90 | nop // 81c3285861b0 | add ebx, 0xb0615828 // 9b | wait // 81eb78f231ca | sub ebx, 0xca31f278 // 8bd2 | mov edx, edx $sequence_15 = { ff15???????? f7d5 f7d5 8b35???????? } // n = 4, score = 100 // ff15???????? | // f7d5 | not ebp // f7d5 | not ebp // 8b35???????? | condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY