Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.daserf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 81ebde5265bf f7d3 f7d3 2d54c52d2c 87ed } // n = 5, score = 100 // 81ebde5265bf | sub ebx, 0xbf6552de // f7d3 | not ebx // f7d3 | not ebx // 2d54c52d2c | sub eax, 0x2c2dc554 // 87ed | xchg ebp, ebp $sequence_1 = { ffb5b44affff ffd7 50 8d85c453ffff 50 } // n = 5, score = 100 // ffb5b44affff | push dword ptr [ebp - 0xb54c] // ffd7 | call edi // 50 | push eax // 8d85c453ffff | lea eax, [ebp - 0xac3c] // 50 | push eax $sequence_2 = { 9b 81c3ef283e49 7500 81eb28ae1332 96 } // n = 5, score = 100 // 9b | wait // 81c3ef283e49 | add ebx, 0x493e28ef // 7500 | jne 2 // 81eb28ae1332 | sub ebx, 0x3213ae28 // 96 | xchg eax, esi $sequence_3 = { 89bc2420f5ffff 8bf8 8b842420f5ffff 052925faa4 9b } // n = 5, score = 100 // 89bc2420f5ffff | mov dword ptr [esp - 0xae0], edi // 8bf8 | mov edi, eax // 8b842420f5ffff | mov eax, dword ptr [esp - 0xae0] // 052925faa4 | add eax, 0xa4fa2529 // 9b | wait $sequence_4 = { 8d85ecd7ffff 50 8b451c 03c7 50 e8???????? } // n = 6, score = 100 // 8d85ecd7ffff | lea eax, [ebp - 0x2814] // 50 | push eax // 8b451c | mov eax, dword ptr [ebp + 0x1c] // 03c7 | add eax, edi // 50 | push eax // e8???????? | $sequence_5 = { 3bde 9b 895df8 8d3f 0f8419030000 } // n = 5, score = 100 // 3bde | cmp ebx, esi // 9b | wait // 895df8 | mov dword ptr [ebp - 8], ebx // 8d3f | lea edi, [edi] // 0f8419030000 | je 0x31f $sequence_6 = { 8be4 81eb340b983a 8d36 054d03130d 8d09 } // n = 5, score = 100 // 8be4 | mov esp, esp // 81eb340b983a | sub ebx, 0x3a980b34 // 8d36 | lea esi, [esi] // 054d03130d | add eax, 0xd13034d // 8d09 | lea ecx, [ecx] $sequence_7 = { 8d85ecd7ffff 50 8bc6 2b45f8 03451c } // n = 5, score = 100 // 8d85ecd7ffff | lea eax, [ebp - 0x2814] // 50 | push eax // 8bc6 | mov eax, esi // 2b45f8 | sub eax, dword ptr [ebp - 8] // 03451c | add eax, dword ptr [ebp + 0x1c] $sequence_8 = { 05238b2be9 81c34ccb62fd 2d4be90aaf 81c3a88f129c 81c3c79a9453 81c336e69e8b } // n = 6, score = 100 // 05238b2be9 | add eax, 0xe92b8b23 // 81c34ccb62fd | add ebx, 0xfd62cb4c // 2d4be90aaf | sub eax, 0xaf0ae94b // 81c3a88f129c | add ebx, 0x9c128fa8 // 81c3c79a9453 | add ebx, 0x53949ac7 // 81c336e69e8b | add ebx, 0x8b9ee636 $sequence_9 = { 56 6a00 8bf8 ffd3 8bd8 } // n = 5, score = 100 // 56 | push esi // 6a00 | push 0 // 8bf8 | mov edi, eax // ffd3 | call ebx // 8bd8 | mov ebx, eax $sequence_10 = { ffd6 ff75fc ffd6 8bc3 eb14 57 } // n = 6, score = 100 // ffd6 | call esi // ff75fc | push dword ptr [ebp - 4] // ffd6 | call esi // 8bc3 | mov eax, ebx // eb14 | jmp 0x16 // 57 | push edi $sequence_11 = { e9???????? 050accc6a4 90 2d6c242e34 8bf6 } // n = 5, score = 100 // e9???????? | // 050accc6a4 | add eax, 0xa4c6cc0a // 90 | nop // 2d6c242e34 | sub eax, 0x342e246c // 8bf6 | mov esi, esi $sequence_12 = { 054802b96a 2d9838054c 2d6715fecd 81eb7323c133 05882a5dde } // n = 5, score = 100 // 054802b96a | add eax, 0x6ab90248 // 2d9838054c | sub eax, 0x4c053898 // 2d6715fecd | sub eax, 0xcdfe1567 // 81eb7323c133 | sub ebx, 0x33c12373 // 05882a5dde | add eax, 0xde5d2a88 $sequence_13 = { 05435895a7 8bed 2d9ad7858d 8d12 056e3b4b3c } // n = 5, score = 100 // 05435895a7 | add eax, 0xa7955843 // 8bed | mov ebp, ebp // 2d9ad7858d | sub eax, 0x8d85d79a // 8d12 | lea edx, [edx] // 056e3b4b3c | add eax, 0x3c4b3b6e $sequence_14 = { 8bc0 81eb4b95a36c f7d5 f7d5 2deb74800f } // n = 5, score = 100 // 8bc0 | mov eax, eax // 81eb4b95a36c | sub ebx, 0x6ca3954b // f7d5 | not ebp // f7d5 | not ebp // 2deb74800f | sub eax, 0xf8074eb $sequence_15 = { 81eb8d2d07be 81c34b01c807 2d08223beb 05c6f5fb34 2d6e58839a } // n = 5, score = 100 // 81eb8d2d07be | sub ebx, 0xbe072d8d // 81c34b01c807 | add ebx, 0x7c8014b // 2d08223beb | sub eax, 0xeb3b2208 // 05c6f5fb34 | add eax, 0x34fbf5c6 // 2d6e58839a | sub eax, 0x9a83586e condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY