Actor(s): Sofacy
There is no description at this point.
rule win_downdelph_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.downdelph." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 39d7 7517 bafeffffff d3c2 21148554da8900 7507 } // n = 6, score = 100 // 39d7 | cmp edi, edx // 7517 | jne 0x19 // bafeffffff | mov edx, 0xfffffffe // d3c2 | rol edx, cl // 21148554da8900 | and dword ptr [eax*4 + 0x89da54], edx // 7507 | jne 9 $sequence_1 = { 8d45f4 33c9 ba06000000 e8???????? 8d45f4 } // n = 5, score = 100 // 8d45f4 | lea eax, [ebp - 0xc] // 33c9 | xor ecx, ecx // ba06000000 | mov edx, 6 // e8???????? | // 8d45f4 | lea eax, [ebp - 0xc] $sequence_2 = { 7d18 8bd3 2bd7 0faf55ec 8b45ec } // n = 5, score = 100 // 7d18 | jge 0x1a // 8bd3 | mov edx, ebx // 2bd7 | sub edx, edi // 0faf55ec | imul edx, dword ptr [ebp - 0x14] // 8b45ec | mov eax, dword ptr [ebp - 0x14] $sequence_3 = { 83c4f8 8bf2 33d2 8bdc 8bca 0fb6f8 } // n = 6, score = 100 // 83c4f8 | add esp, -8 // 8bf2 | mov esi, edx // 33d2 | xor edx, edx // 8bdc | mov ebx, esp // 8bca | mov ecx, edx // 0fb6f8 | movzx edi, al $sequence_4 = { b201 8b45fc e8???????? 84c0 } // n = 4, score = 100 // b201 | mov dl, 1 // 8b45fc | mov eax, dword ptr [ebp - 4] // e8???????? | // 84c0 | test al, al $sequence_5 = { b9???????? ba???????? 8b45f0 e8???????? 8b55c4 8d45f4 e8???????? } // n = 7, score = 100 // b9???????? | // ba???????? | // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // e8???????? | // 8b55c4 | mov edx, dword ptr [ebp - 0x3c] // 8d45f4 | lea eax, [ebp - 0xc] // e8???????? | $sequence_6 = { 8b45f4 e8???????? 84c0 7407 b301 e9???????? 68???????? } // n = 7, score = 100 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // e8???????? | // 84c0 | test al, al // 7407 | je 9 // b301 | mov bl, 1 // e9???????? | // 68???????? | $sequence_7 = { 0fb608 80e101 02d1 40 4e 75f2 } // n = 6, score = 100 // 0fb608 | movzx ecx, byte ptr [eax] // 80e101 | and cl, 1 // 02d1 | add dl, cl // 40 | inc eax // 4e | dec esi // 75f2 | jne 0xfffffff4 $sequence_8 = { b8???????? e8???????? 8bd0 42 8b45fc } // n = 5, score = 100 // b8???????? | // e8???????? | // 8bd0 | mov edx, eax // 42 | inc edx // 8b45fc | mov eax, dword ptr [ebp - 4] $sequence_9 = { 56 57 8bf1 8bfa 8945fc 8b45fc e8???????? } // n = 7, score = 100 // 56 | push esi // 57 | push edi // 8bf1 | mov esi, ecx // 8bfa | mov edi, edx // 8945fc | mov dword ptr [ebp - 4], eax // 8b45fc | mov eax, dword ptr [ebp - 4] // e8???????? | condition: 7 of them and filesize < 172032 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY