Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.daserf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 05a76d6f80 2d1588942f 81eba1baec0e 81c3542a8d1e 81eb5e17a468 2de508366a } // n = 6, score = 100 // 05a76d6f80 | add eax, 0x806f6da7 // 2d1588942f | sub eax, 0x2f948815 // 81eba1baec0e | sub ebx, 0xeecbaa1 // 81c3542a8d1e | add ebx, 0x1e8d2a54 // 81eb5e17a468 | sub ebx, 0x68a4175e // 2de508366a | sub eax, 0x6a3608e5 $sequence_1 = { 81c3b7c2f7e6 2df3af433d 2da013b87f 81c3d145a55f 81ebb86e602d 81c33e65de95 } // n = 6, score = 100 // 81c3b7c2f7e6 | add ebx, 0xe6f7c2b7 // 2df3af433d | sub eax, 0x3d43aff3 // 2da013b87f | sub eax, 0x7fb813a0 // 81c3d145a55f | add ebx, 0x5fa545d1 // 81ebb86e602d | sub ebx, 0x2d606eb8 // 81c33e65de95 | add ebx, 0x95de653e $sequence_2 = { 81ebb384522e 81c3b480372d 81ebbd336e73 81c33ec69dd2 058b84f961 81c3c72aa02b } // n = 6, score = 100 // 81ebb384522e | sub ebx, 0x2e5284b3 // 81c3b480372d | add ebx, 0x2d3780b4 // 81ebbd336e73 | sub ebx, 0x736e33bd // 81c33ec69dd2 | add ebx, 0xd29dc63e // 058b84f961 | add eax, 0x61f9848b // 81c3c72aa02b | add ebx, 0x2ba02ac7 $sequence_3 = { 81c3b123131a 90 89842430f3ffff 8bc0 8b842430f3ffff } // n = 5, score = 100 // 81c3b123131a | add ebx, 0x1a1323b1 // 90 | nop // 89842430f3ffff | mov dword ptr [esp - 0xcd0], eax // 8bc0 | mov eax, eax // 8b842430f3ffff | mov eax, dword ptr [esp - 0xcd0] $sequence_4 = { f7d0 81eb431a27d2 f7d5 f7d5 81eb6562e145 } // n = 5, score = 100 // f7d0 | not eax // 81eb431a27d2 | sub ebx, 0xd2271a43 // f7d5 | not ebp // f7d5 | not ebp // 81eb6562e145 | sub ebx, 0x45e16265 $sequence_5 = { 7500 81c381b8519a 87ed 81eb010bd426 e9???????? } // n = 5, score = 100 // 7500 | jne 2 // 81c381b8519a | add ebx, 0x9a51b881 // 87ed | xchg ebp, ebp // 81eb010bd426 | sub ebx, 0x26d40b01 // e9???????? | $sequence_6 = { 90 2da7394548 7500 81ebc5b0441a } // n = 4, score = 100 // 90 | nop // 2da7394548 | sub eax, 0x484539a7 // 7500 | jne 2 // 81ebc5b0441a | sub ebx, 0x1a44b0c5 $sequence_7 = { 81c38f95dc89 8bc9 81ebdab028a4 7500 } // n = 4, score = 100 // 81c38f95dc89 | add ebx, 0x89dc958f // 8bc9 | mov ecx, ecx // 81ebdab028a4 | sub ebx, 0xa428b0da // 7500 | jne 2 $sequence_8 = { 8b45e8 d3f8 85c0 0f8419010000 a801 } // n = 5, score = 100 // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // d3f8 | sar eax, cl // 85c0 | test eax, eax // 0f8419010000 | je 0x11f // a801 | test al, 1 $sequence_9 = { bf007f0000 33f6 57 56 c745b430000000 c745b803000000 } // n = 6, score = 100 // bf007f0000 | mov edi, 0x7f00 // 33f6 | xor esi, esi // 57 | push edi // 56 | push esi // c745b430000000 | mov dword ptr [ebp - 0x4c], 0x30 // c745b803000000 | mov dword ptr [ebp - 0x48], 3 $sequence_10 = { f7d6 ffd6 9b 8b3d???????? 90 8d85f4faffff 8d00 } // n = 7, score = 100 // f7d6 | not esi // ffd6 | call esi // 9b | wait // 8b3d???????? | // 90 | nop // 8d85f4faffff | lea eax, dword ptr [ebp - 0x50c] // 8d00 | lea eax, dword ptr [eax] $sequence_11 = { c745fc00010000 c785d8feffff14010000 e8???????? 59 8d45fc } // n = 5, score = 100 // c745fc00010000 | mov dword ptr [ebp - 4], 0x100 // c785d8feffff14010000 | mov dword ptr [ebp - 0x128], 0x114 // e8???????? | // 59 | pop ecx // 8d45fc | lea eax, dword ptr [ebp - 4] $sequence_12 = { 2d2fe48597 05cf9f13b1 059b4ca0ac 2ddb883ec7 81ebcea2c19c 2dc95936ad } // n = 6, score = 100 // 2d2fe48597 | sub eax, 0x9785e42f // 05cf9f13b1 | add eax, 0xb1139fcf // 059b4ca0ac | add eax, 0xaca04c9b // 2ddb883ec7 | sub eax, 0xc73e88db // 81ebcea2c19c | sub ebx, 0x9cc1a2ce // 2dc95936ad | sub eax, 0xad3659c9 $sequence_13 = { f7d0 81c3c85bc4e6 9b 81c3402fa99b 90 81c34fe5b167 } // n = 6, score = 100 // f7d0 | not eax // 81c3c85bc4e6 | add ebx, 0xe6c45bc8 // 9b | wait // 81c3402fa99b | add ebx, 0x9ba92f40 // 90 | nop // 81c34fe5b167 | add ebx, 0x67b1e54f $sequence_14 = { 96 89b42410f2ffff 8bf0 8b842410f2ffff 2de164128a } // n = 5, score = 100 // 96 | xchg eax, esi // 89b42410f2ffff | mov dword ptr [esp - 0xdf0], esi // 8bf0 | mov esi, eax // 8b842410f2ffff | mov eax, dword ptr [esp - 0xdf0] // 2de164128a | sub eax, 0x8a1264e1 $sequence_15 = { 05d848c354 2df13f033a 81eb657f2411 81ebd1c35df5 81eb73e503c0 } // n = 5, score = 100 // 05d848c354 | add eax, 0x54c348d8 // 2df13f033a | sub eax, 0x3a033ff1 // 81eb657f2411 | sub ebx, 0x11247f65 // 81ebd1c35df5 | sub ebx, 0xf55dc3d1 // 81eb73e503c0 | sub ebx, 0xc003e573 condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY