There is no description at this point.
rule win_doublefinger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.doublefinger." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefinger" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b442404 8b0c24 03c8 8bc1 03442408 8bc0 } // n = 6, score = 100 // 8b442404 | dec eax // 8b0c24 | mov dword ptr [esp + 0x20], edx // 03c8 | dec esp // 8bc1 | mov ecx, ecx // 03442408 | dec eax // 8bc0 | lea ecx, [0x2b32] $sequence_1 = { 8b442448 39442444 7d27 41b87a000000 ba61000000 488b8c2468010000 e8???????? } // n = 7, score = 100 // 8b442448 | jmp 0x1c6a // 39442444 | mov eax, dword ptr [esp + 0x64] // 7d27 | inc eax // 41b87a000000 | mov dword ptr [esp + 0x64], eax // ba61000000 | mov eax, dword ptr [esp + 0x70] // 488b8c2468010000 | add eax, 4 // e8???????? | $sequence_2 = { 4533c0 8b942464010000 488b4c2450 e8???????? } // n = 4, score = 100 // 4533c0 | inc ebp // 8b942464010000 | xor eax, eax // 488b4c2450 | dec eax // e8???????? | $sequence_3 = { 4883ec38 ba08000000 488d4c2420 e8???????? 6944244810270000 } // n = 5, score = 100 // 4883ec38 | dec eax // ba08000000 | lea ecx, [esp + 0xc0] // 488d4c2420 | call dword ptr [eax + 0x38] // e8???????? | // 6944244810270000 | dec eax $sequence_4 = { 488b4c2450 e8???????? 48898424f8020000 8b442458 35beaeaeab } // n = 5, score = 100 // 488b4c2450 | dec eax // e8???????? | // 48898424f8020000 | mov edx, dword ptr [esp + 0x40] // 8b442458 | mov cx, 2 // 35beaeaeab | dec eax $sequence_5 = { 4c89442418 4889542410 48894c2408 4883ec68 48c744243000000000 c744242880000000 c744242003000000 } // n = 7, score = 100 // 4c89442418 | jae 0x254 // 4889542410 | mov byte ptr [esp], 0 // 48894c2408 | mov dword ptr [esp + 4], 0 // 4883ec68 | jmp 0x1d8 // 48c744243000000000 | mov eax, ecx // c744242880000000 | cmp eax, dword ptr [esp + 0x28] // c744242003000000 | jbe 0x209 $sequence_6 = { 488bc1 eb7a 837c242000 7471 } // n = 4, score = 100 // 488bc1 | mov dword ptr [esp + 0x2d0], eax // eb7a | inc ebp // 837c242000 | xor eax, eax // 7471 | mov edx, 0xeae447bb $sequence_7 = { 85c0 752d 41b975020000 4533c0 48c7c2ffffffff 488d8c2410030000 } // n = 6, score = 100 // 85c0 | xor edx, edx // 752d | test eax, eax // 41b975020000 | jne 0x19ad // 4533c0 | xor edx, edx // 48c7c2ffffffff | mov edx, 0x3ee // 488d8c2410030000 | dec eax $sequence_8 = { 3565708005 8984246c010000 8b84246c010000 8b4c2460 33c8 } // n = 5, score = 100 // 3565708005 | lea eax, [ecx + eax*2] // 8984246c010000 | dec eax // 8b84246c010000 | sub eax, dword ptr [esp + 0x30] // 8b4c2460 | mov eax, dword ptr [esp + 0x2c] // 33c8 | mov dword ptr [esp + 0x24], eax $sequence_9 = { 488b8424a0020000 8b4c2460 3908 7502 } // n = 4, score = 100 // 488b8424a0020000 | inc ebp // 8b4c2460 | xor eax, eax // 3908 | mov edx, 0x2e5251ca // 7502 | dec eax condition: 7 of them and filesize < 115712 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY