Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2019-07-05" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator 0.2a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_version = "20190620" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 51 8d442400 50 33c0 50 50 68f7844000 } // n = 7, score = 100 // 51 | push ecx // 8d442400 | lea eax, [esp] // 50 | push eax // 33c0 | xor eax, eax // 50 | push eax // 50 | push eax // 68f7844000 | push 0x4084f7 $sequence_1 = { 0506eaec93 75?? 2dff599158 93 } // n = 4, score = 100 // 0506eaec93 | add eax, 0x93ecea06 // 75?? | // 2dff599158 | sub eax, 0x589159ff // 93 | xchg eax, ebx $sequence_2 = { ffd6 8d8594fdffff 50 8d8594ecffff } // n = 4, score = 100 // ffd6 | call esi // 8d8594fdffff | lea eax, [ebp - 0x26c] // 50 | push eax // 8d8594ecffff | lea eax, [ebp - 0x136c] $sequence_3 = { 81c3630f0c33 2d4e8719c5 0562d2b8fd 81eba20e5718 } // n = 4, score = 100 // 81c3630f0c33 | add ebx, 0x330c0f63 // 2d4e8719c5 | sub eax, 0xc519874e // 0562d2b8fd | add eax, 0xfdb8d262 // 81eba20e5718 | sub ebx, 0x18570ea2 $sequence_4 = { ffd6 8d45fc 6a00 50 6a01 6888e04000 53 } // n = 7, score = 100 // ffd6 | call esi // 8d45fc | lea eax, [ebp - 4] // 6a00 | push 0 // 50 | push eax // 6a01 | push 1 // 6888e04000 | push 0x40e088 // 53 | push ebx $sequence_5 = { 81c398f4f5f1 8bff 81eb16e1dcb1 90 2dc3d7ab86 8bf6 2d1cbd3739 } // n = 7, score = 100 // 81c398f4f5f1 | add ebx, 0xf1f5f498 // 8bff | mov edi, edi // 81eb16e1dcb1 | sub ebx, 0xb1dce116 // 90 | nop // 2dc3d7ab86 | sub eax, 0x86abd7c3 // 8bf6 | mov esi, esi // 2d1cbd3739 | sub eax, 0x3937bd1c $sequence_6 = { 055b4e8b45 81c3b0d485cc 81c3f781b4a1 81c392402699 } // n = 4, score = 100 // 055b4e8b45 | add eax, 0x458b4e5b // 81c3b0d485cc | add ebx, 0xcc85d4b0 // 81c3f781b4a1 | add ebx, 0xa1b481f7 // 81c392402699 | add ebx, 0x99264092 $sequence_7 = { 8b842440f1ffff 059cbb63b8 f7d4 f7d4 2de623626c 8d09 81eb87b68c75 } // n = 7, score = 100 // 8b842440f1ffff | mov eax, dword ptr [esp - 0xec0] // 059cbb63b8 | add eax, 0xb863bb9c // f7d4 | not esp // f7d4 | not esp // 2de623626c | sub eax, 0x6c6223e6 // 8d09 | lea ecx, [ecx] // 81eb87b68c75 | sub ebx, 0x758cb687 $sequence_8 = { 89842400f5ffff 8bc0 8b842400f5ffff 2de49557e5 90 } // n = 5, score = 100 // 89842400f5ffff | mov dword ptr [esp - 0xb00], eax // 8bc0 | mov eax, eax // 8b842400f5ffff | mov eax, dword ptr [esp - 0xb00] // 2de49557e5 | sub eax, 0xe55795e4 // 90 | nop $sequence_9 = { 8d8568fbffff 50 ff15???????? 50 } // n = 4, score = 100 // 8d8568fbffff | lea eax, [ebp - 0x498] // 50 | push eax // ff15???????? | // 50 | push eax $sequence_10 = { 8b842410f2ffff 81c39158540b 90 81c387af0f9d 95 89ac2430f3ffff } // n = 6, score = 100 // 8b842410f2ffff | mov eax, dword ptr [esp - 0xdf0] // 81c39158540b | add ebx, 0xb545891 // 90 | nop // 81c387af0f9d | add ebx, 0x9d0faf87 // 95 | xchg eax, ebp // 89ac2430f3ffff | mov dword ptr [esp - 0xcd0], ebp $sequence_11 = { 2d787c6ae6 90 05a2570e84 f7d0 } // n = 4, score = 100 // 2d787c6ae6 | sub eax, 0xe66a7c78 // 90 | nop // 05a2570e84 | add eax, 0x840e57a2 // f7d0 | not eax $sequence_12 = { 87f6 81eba762756e 8bdb 0519a01e7f 95 89ac2420f1ffff } // n = 6, score = 100 // 87f6 | xchg esi, esi // 81eba762756e | sub ebx, 0x6e7562a7 // 8bdb | mov ebx, ebx // 0519a01e7f | add eax, 0x7f1ea019 // 95 | xchg eax, ebp // 89ac2420f1ffff | mov dword ptr [esp - 0xee0], ebp $sequence_13 = { 81ebd648f015 81c30e6a05d3 81c38a5df633 2d6f2a1e46 } // n = 4, score = 100 // 81ebd648f015 | sub ebx, 0x15f048d6 // 81c30e6a05d3 | add ebx, 0xd3056a0e // 81c38a5df633 | add ebx, 0x33f65d8a // 2d6f2a1e46 | sub eax, 0x461e2a6f $sequence_14 = { 0596b0efd9 81eb4392fb3e 05c0b6d128 81eb26ad18b7 81eb7eca9393 } // n = 5, score = 100 // 0596b0efd9 | add eax, 0xd9efb096 // 81eb4392fb3e | sub ebx, 0x3efb9243 // 05c0b6d128 | add eax, 0x28d1b6c0 // 81eb26ad18b7 | sub ebx, 0xb718ad26 // 81eb7eca9393 | sub ebx, 0x9393ca7e $sequence_15 = { 8be4 81eb1b1f1791 90 81c346ad0895 8bff 81c3f1bd3edf 9b } // n = 7, score = 100 // 8be4 | mov esp, esp // 81eb1b1f1791 | sub ebx, 0x91171f1b // 90 | nop // 81c346ad0895 | add ebx, 0x9508ad46 // 8bff | mov edi, edi // 81c3f1bd3edf | add ebx, 0xdf3ebdf1 // 9b | wait condition: 7 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Your suggestion will be reviewed before being published. Thank you for contributing!