rule win_donot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.donot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6bd238 8b0c8d187b0410 88441129 8b0b 8bc1 c1f806 }
            // n = 6, score = 100
            //   6bd238               | imul                edx, edx, 0x38
            //   8b0c8d187b0410       | mov                 ecx, dword ptr [ecx*4 + 0x10047b18]
            //   88441129             | mov                 byte ptr [ecx + edx + 0x29], al
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bc1                 | mov                 eax, ecx
            //   c1f806               | sar                 eax, 6

        $sequence_1 = { 83c408 8bb5e8fdffff 8dbdd8fdffff 83bdecfdffff10 c745b000000000 0f43bdd8fdffff }
            // n = 6, score = 100
            //   83c408               | add                 esp, 8
            //   8bb5e8fdffff         | mov                 esi, dword ptr [ebp - 0x218]
            //   8dbdd8fdffff         | lea                 edi, [ebp - 0x228]
            //   83bdecfdffff10       | cmp                 dword ptr [ebp - 0x214], 0x10
            //   c745b000000000       | mov                 dword ptr [ebp - 0x50], 0
            //   0f43bdd8fdffff       | cmovae              edi, dword ptr [ebp - 0x228]

        $sequence_2 = { 8bf3 6bf938 c1fe06 6a00 8b0cb5187b0410 ff740f24 }
            // n = 6, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   6bf938               | imul                edi, ecx, 0x38
            //   c1fe06               | sar                 esi, 6
            //   6a00                 | push                0
            //   8b0cb5187b0410       | mov                 ecx, dword ptr [esi*4 + 0x10047b18]
            //   ff740f24             | push                dword ptr [edi + ecx + 0x24]

        $sequence_3 = { 894610 c7461407000000 668906 e9???????? 837f1410 8bcf 7202 }
            // n = 7, score = 100
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   c7461407000000       | mov                 dword ptr [esi + 0x14], 7
            //   668906               | mov                 word ptr [esi], ax
            //   e9????????           |                     
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   8bcf                 | mov                 ecx, edi
            //   7202                 | jb                  4

        $sequence_4 = { c785e4fbffff07000000 8d5102 668985d0fbffff 6690 668b01 83c102 6685c0 }
            // n = 7, score = 100
            //   c785e4fbffff07000000     | mov    dword ptr [ebp - 0x41c], 7
            //   8d5102               | lea                 edx, [ecx + 2]
            //   668985d0fbffff       | mov                 word ptr [ebp - 0x430], ax
            //   6690                 | nop                 
            //   668b01               | mov                 ax, word ptr [ecx]
            //   83c102               | add                 ecx, 2
            //   6685c0               | test                ax, ax

        $sequence_5 = { 8d85e8e7ffff 68???????? 50 ff15???????? 83c410 8d8594e7ffff 50 }
            // n = 7, score = 100
            //   8d85e8e7ffff         | lea                 eax, [ebp - 0x1818]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c410               | add                 esp, 0x10
            //   8d8594e7ffff         | lea                 eax, [ebp - 0x186c]
            //   50                   | push                eax

        $sequence_6 = { 0f1085b0fcffff 0f1100 8bc4 0f108590fcffff 51 0f1100 ff5228 }
            // n = 7, score = 100
            //   0f1085b0fcffff       | movups              xmm0, xmmword ptr [ebp - 0x350]
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   8bc4                 | mov                 eax, esp
            //   0f108590fcffff       | movups              xmm0, xmmword ptr [ebp - 0x370]
            //   51                   | push                ecx
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   ff5228               | call                dword ptr [edx + 0x28]

        $sequence_7 = { 83c408 8b95dcfeffff 83fa10 722f 8b8dc8feffff 42 8bc1 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   8b95dcfeffff         | mov                 edx, dword ptr [ebp - 0x124]
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8dc8feffff         | mov                 ecx, dword ptr [ebp - 0x138]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx

        $sequence_8 = { 6a00 68???????? 6802000080 c785c8e7ffff3f000f00 ff15???????? 85c0 0f84ef000000 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   c785c8e7ffff3f000f00     | mov    dword ptr [ebp - 0x1838], 0xf003f
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f84ef000000         | je                  0xf5

        $sequence_9 = { 8d45f4 64a300000000 8965f0 8b4510 8b4d18 8b5d0c }
            // n = 6, score = 100
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 626688
}