Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.daserf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7500 2d154962a4 95 89ac2430f2ffff 8be8 8b842430f2ffff } // n = 6, score = 100 // 7500 | jne 2 // 2d154962a4 | sub eax, 0xa4624915 // 95 | xchg eax, ebp // 89ac2430f2ffff | mov dword ptr [esp - 0xdd0], ebp // 8be8 | mov ebp, eax // 8b842430f2ffff | mov eax, dword ptr [esp - 0xdd0] $sequence_1 = { 81c3d87a3f7e 0586910127 2db7c3ee06 81c39d395c6e } // n = 4, score = 100 // 81c3d87a3f7e | add ebx, 0x7e3f7ad8 // 0586910127 | add eax, 0x27019186 // 2db7c3ee06 | sub eax, 0x6eec3b7 // 81c39d395c6e | add ebx, 0x6e5c399d $sequence_2 = { 7500 0595e368fc 8d36 2dc2dc79d5 7500 81c3eb04d00c } // n = 6, score = 100 // 7500 | jne 2 // 0595e368fc | add eax, 0xfc68e395 // 8d36 | lea esi, dword ptr [esi] // 2dc2dc79d5 | sub eax, 0xd579dcc2 // 7500 | jne 2 // 81c3eb04d00c | add ebx, 0xcd004eb $sequence_3 = { 90 81ebf77f1144 87d2 81ebc71c2462 87db 05e5932334 } // n = 6, score = 100 // 90 | nop // 81ebf77f1144 | sub ebx, 0x44117ff7 // 87d2 | xchg edx, edx // 81ebc71c2462 | sub ebx, 0x62241cc7 // 87db | xchg ebx, ebx // 05e5932334 | add eax, 0x342393e5 $sequence_4 = { 53 56 57 ff15???????? 3d00000080 } // n = 5, score = 100 // 53 | push ebx // 56 | push esi // 57 | push edi // ff15???????? | // 3d00000080 | cmp eax, 0x80000000 $sequence_5 = { 81c388af7ac1 05f1beaa82 2d4f137ccd 81c31d26a495 } // n = 4, score = 100 // 81c388af7ac1 | add ebx, 0xc17aaf88 // 05f1beaa82 | add eax, 0x82aabef1 // 2d4f137ccd | sub eax, 0xcd7c134f // 81c31d26a495 | add ebx, 0x95a4261d $sequence_6 = { 50 50 6800000080 ff74241c ff15???????? c3 } // n = 6, score = 100 // 50 | push eax // 50 | push eax // 6800000080 | push 0x80000000 // ff74241c | push dword ptr [esp + 0x1c] // ff15???????? | // c3 | ret $sequence_7 = { 054680354f 2d3e1ec12c 81c388627057 05463631a1 } // n = 4, score = 100 // 054680354f | add eax, 0x4f358046 // 2d3e1ec12c | sub eax, 0x2cc11e3e // 81c388627057 | add ebx, 0x57706288 // 05463631a1 | add eax, 0xa1313646 $sequence_8 = { f7d3 f7d3 81c3829a7887 87d2 81eb1e51eab2 f7d7 f7d7 } // n = 7, score = 100 // f7d3 | not ebx // f7d3 | not ebx // 81c3829a7887 | add ebx, 0x87789a82 // 87d2 | xchg edx, edx // 81eb1e51eab2 | sub ebx, 0xb2ea511e // f7d7 | not edi // f7d7 | not edi $sequence_9 = { 81ebdcf287d2 90 81c3a28c0de9 97 89bc2400f5ffff } // n = 5, score = 100 // 81ebdcf287d2 | sub ebx, 0xd287f2dc // 90 | nop // 81c3a28c0de9 | add ebx, 0xe90d8ca2 // 97 | xchg eax, edi // 89bc2400f5ffff | mov dword ptr [esp - 0xb00], edi $sequence_10 = { 81ebec042db6 7500 2d0b2f7aee f7d3 f7d3 81eb01863580 7500 } // n = 7, score = 100 // 81ebec042db6 | sub ebx, 0xb62d04ec // 7500 | jne 2 // 2d0b2f7aee | sub eax, 0xee7a2f0b // f7d3 | not ebx // f7d3 | not ebx // 81eb01863580 | sub ebx, 0x80358601 // 7500 | jne 2 $sequence_11 = { 87f6 05f6dbf42a 7500 81eb4e0e3377 87c0 } // n = 5, score = 100 // 87f6 | xchg esi, esi // 05f6dbf42a | add eax, 0x2af4dbf6 // 7500 | jne 2 // 81eb4e0e3377 | sub ebx, 0x77330e4e // 87c0 | xchg eax, eax $sequence_12 = { 2d78fe9726 059a220311 81eb2097189c 0570121e35 81eb9b8b4cc9 } // n = 5, score = 100 // 2d78fe9726 | sub eax, 0x2697fe78 // 059a220311 | add eax, 0x1103229a // 81eb2097189c | sub ebx, 0x9c189720 // 0570121e35 | add eax, 0x351e1270 // 81eb9b8b4cc9 | sub ebx, 0xc94c8b9b $sequence_13 = { 81eb8a706645 9b 81c376966f5d 97 89bc2420f3ffff 8bf8 } // n = 6, score = 100 // 81eb8a706645 | sub ebx, 0x4566708a // 9b | wait // 81c376966f5d | add ebx, 0x5d6f9676 // 97 | xchg eax, edi // 89bc2420f3ffff | mov dword ptr [esp - 0xce0], edi // 8bf8 | mov edi, eax $sequence_14 = { 81eb5a639002 81c3b168ba80 81c3f5fcff22 81c3b29fdbe3 } // n = 4, score = 100 // 81eb5a639002 | sub ebx, 0x290635a // 81c3b168ba80 | add ebx, 0x80ba68b1 // 81c3f5fcff22 | add ebx, 0x22fffcf5 // 81c3b29fdbe3 | add ebx, 0xe3db9fb2 $sequence_15 = { 05871a82f9 81eb5a389faf 2d98958ee3 81ebeeced6d0 } // n = 4, score = 100 // 05871a82f9 | add eax, 0xf9821a87 // 81eb5a389faf | sub ebx, 0xaf9f385a // 2d98958ee3 | sub eax, 0xe38e9598 // 81ebeeced6d0 | sub ebx, 0xd0d6ceee condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY