There is no description at this point.
rule win_ddkeylogger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.ddkeylogger." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d45cc 50 c745cce0184100 e8???????? } // n = 4, score = 200 // 8d45cc | lea eax, [ebp - 0x34] // 50 | push eax // c745cce0184100 | mov dword ptr [ebp - 0x34], 0x4118e0 // e8???????? | $sequence_1 = { 56 e8???????? 83c408 c60000 68???????? 68???????? } // n = 6, score = 200 // 56 | push esi // e8???????? | // 83c408 | add esp, 8 // c60000 | mov byte ptr [eax], 0 // 68???????? | // 68???????? | $sequence_2 = { ff15???????? 8b85e0faffff 8b08 8b5108 50 ffd2 } // n = 6, score = 200 // ff15???????? | // 8b85e0faffff | mov eax, dword ptr [ebp - 0x520] // 8b08 | mov ecx, dword ptr [eax] // 8b5108 | mov edx, dword ptr [ecx + 8] // 50 | push eax // ffd2 | call edx $sequence_3 = { ff15???????? 6800040000 8d8d4cf3ffff 6a00 51 e8???????? 0fb79548efffff } // n = 7, score = 200 // ff15???????? | // 6800040000 | push 0x400 // 8d8d4cf3ffff | lea ecx, [ebp - 0xcb4] // 6a00 | push 0 // 51 | push ecx // e8???????? | // 0fb79548efffff | movzx edx, word ptr [ebp - 0x10b8] $sequence_4 = { 8b5804 8d140b 0fb70a 56 8b700c 0fb70c4e 0fb7f1 } // n = 7, score = 200 // 8b5804 | mov ebx, dword ptr [eax + 4] // 8d140b | lea edx, [ebx + ecx] // 0fb70a | movzx ecx, word ptr [edx] // 56 | push esi // 8b700c | mov esi, dword ptr [eax + 0xc] // 0fb70c4e | movzx ecx, word ptr [esi + ecx*2] // 0fb7f1 | movzx esi, cx $sequence_5 = { 83c40c 8b55e8 8b45f0 8955dc 8bf9 8945e4 8bde } // n = 7, score = 200 // 83c40c | add esp, 0xc // 8b55e8 | mov edx, dword ptr [ebp - 0x18] // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 8955dc | mov dword ptr [ebp - 0x24], edx // 8bf9 | mov edi, ecx // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 8bde | mov ebx, esi $sequence_6 = { f7c200020000 0f95c0 0409 c3 } // n = 4, score = 200 // f7c200020000 | test edx, 0x200 // 0f95c0 | setne al // 0409 | add al, 9 // c3 | ret $sequence_7 = { 885004 33c0 8d642400 8a8c05f8feffff 888c05e4fcffff } // n = 5, score = 200 // 885004 | mov byte ptr [eax + 4], dl // 33c0 | xor eax, eax // 8d642400 | lea esp, [esp] // 8a8c05f8feffff | mov cl, byte ptr [ebp + eax - 0x108] // 888c05e4fcffff | mov byte ptr [ebp + eax - 0x31c], cl $sequence_8 = { 7409 f6c208 0f95c0 0403 c3 } // n = 5, score = 200 // 7409 | je 0xb // f6c208 | test dl, 8 // 0f95c0 | setne al // 0403 | add al, 3 // c3 | ret $sequence_9 = { 8d8de5fcffff 6a00 51 8985e0fcffff } // n = 4, score = 200 // 8d8de5fcffff | lea ecx, [ebp - 0x31b] // 6a00 | push 0 // 51 | push ecx // 8985e0fcffff | mov dword ptr [ebp - 0x320], eax condition: 7 of them and filesize < 808960 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY