Actor(s): RANCOR
There is no description at this point.
rule win_ddkong_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.ddkong." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c6459765 c6459857 c645996f c6459a77 c6459b36 c6459c34 c6459d46 } // n = 7, score = 100 // c6459765 | mov byte ptr [ebp - 0x69], 0x65 // c6459857 | mov byte ptr [ebp - 0x68], 0x57 // c645996f | mov byte ptr [ebp - 0x67], 0x6f // c6459a77 | mov byte ptr [ebp - 0x66], 0x77 // c6459b36 | mov byte ptr [ebp - 0x65], 0x36 // c6459c34 | mov byte ptr [ebp - 0x64], 0x34 // c6459d46 | mov byte ptr [ebp - 0x63], 0x46 $sequence_1 = { c68572ffffff62 c68573ffffff6a c68574ffffff65 c68575ffffff63 c68576ffffff74 889d77ffffff ffd7 } // n = 7, score = 100 // c68572ffffff62 | mov byte ptr [ebp - 0x8e], 0x62 // c68573ffffff6a | mov byte ptr [ebp - 0x8d], 0x6a // c68574ffffff65 | mov byte ptr [ebp - 0x8c], 0x65 // c68575ffffff63 | mov byte ptr [ebp - 0x8b], 0x63 // c68576ffffff74 | mov byte ptr [ebp - 0x8a], 0x74 // 889d77ffffff | mov byte ptr [ebp - 0x89], bl // ffd7 | call edi $sequence_2 = { c645d36c c645d465 c645d54e c645d661 c645d76d c645d865 c645d941 } // n = 7, score = 100 // c645d36c | mov byte ptr [ebp - 0x2d], 0x6c // c645d465 | mov byte ptr [ebp - 0x2c], 0x65 // c645d54e | mov byte ptr [ebp - 0x2b], 0x4e // c645d661 | mov byte ptr [ebp - 0x2a], 0x61 // c645d76d | mov byte ptr [ebp - 0x29], 0x6d // c645d865 | mov byte ptr [ebp - 0x28], 0x65 // c645d941 | mov byte ptr [ebp - 0x27], 0x41 $sequence_3 = { 5b 5d c20c00 ff25???????? ff25???????? 8b4c2404 85c9 } // n = 7, score = 100 // 5b | pop ebx // 5d | pop ebp // c20c00 | ret 0xc // ff25???????? | // ff25???????? | // 8b4c2404 | mov ecx, dword ptr [esp + 4] // 85c9 | test ecx, ecx $sequence_4 = { c645f470 ffd6 50 ffd7 8b5d0c bf04010000 } // n = 6, score = 100 // c645f470 | mov byte ptr [ebp - 0xc], 0x70 // ffd6 | call esi // 50 | push eax // ffd7 | call edi // 8b5d0c | mov ebx, dword ptr [ebp + 0xc] // bf04010000 | mov edi, 0x104 $sequence_5 = { 6a04 e8???????? 83c418 eb2d 6a01 } // n = 5, score = 100 // 6a04 | push 4 // e8???????? | // 83c418 | add esp, 0x18 // eb2d | jmp 0x2f // 6a01 | push 1 $sequence_6 = { 7427 837d08ff 7421 8d45dc 6a10 50 ff7508 } // n = 7, score = 100 // 7427 | je 0x29 // 837d08ff | cmp dword ptr [ebp + 8], -1 // 7421 | je 0x23 // 8d45dc | lea eax, [ebp - 0x24] // 6a10 | push 0x10 // 50 | push eax // ff7508 | push dword ptr [ebp + 8] $sequence_7 = { c6855affffff65 c6855bffffff4f c6855cffffff62 c6855dffffff6a c6855effffff65 } // n = 5, score = 100 // c6855affffff65 | mov byte ptr [ebp - 0xa6], 0x65 // c6855bffffff4f | mov byte ptr [ebp - 0xa5], 0x4f // c6855cffffff62 | mov byte ptr [ebp - 0xa4], 0x62 // c6855dffffff6a | mov byte ptr [ebp - 0xa3], 0x6a // c6855effffff65 | mov byte ptr [ebp - 0xa2], 0x65 $sequence_8 = { c6459763 c6459874 c6459969 c6459a76 c6459b65 c6459c43 c6459d6f } // n = 7, score = 100 // c6459763 | mov byte ptr [ebp - 0x69], 0x63 // c6459874 | mov byte ptr [ebp - 0x68], 0x74 // c6459969 | mov byte ptr [ebp - 0x67], 0x69 // c6459a76 | mov byte ptr [ebp - 0x66], 0x76 // c6459b65 | mov byte ptr [ebp - 0x65], 0x65 // c6459c43 | mov byte ptr [ebp - 0x64], 0x43 // c6459d6f | mov byte ptr [ebp - 0x63], 0x6f $sequence_9 = { c68574ffffff65 c68575ffffff63 c68576ffffff74 889d77ffffff } // n = 4, score = 100 // c68574ffffff65 | mov byte ptr [ebp - 0x8c], 0x65 // c68575ffffff63 | mov byte ptr [ebp - 0x8b], 0x63 // c68576ffffff74 | mov byte ptr [ebp - 0x8a], 0x74 // 889d77ffffff | mov byte ptr [ebp - 0x89], bl condition: 7 of them and filesize < 81920 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY