Actor(s): APT28
There is no description at this point.
rule win_downdelph_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.downdelph." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b900000000 e8???????? 8d55f4 8b45fc e8???????? 8b45f4 ba???????? } // n = 7, score = 100 // b900000000 | mov ecx, 0 // e8???????? | // 8d55f4 | lea edx, [ebp - 0xc] // 8b45fc | mov eax, dword ptr [ebp - 4] // e8???????? | // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // ba???????? | $sequence_1 = { 8b17 8d0482 50 8d45c8 } // n = 4, score = 100 // 8b17 | mov edx, dword ptr [edi] // 8d0482 | lea eax, [edx + eax*4] // 50 | push eax // 8d45c8 | lea eax, [ebp - 0x38] $sequence_2 = { 8b15???????? e8???????? 83c404 8d55ec } // n = 4, score = 100 // 8b15???????? | // e8???????? | // 83c404 | add esp, 4 // 8d55ec | lea edx, [ebp - 0x14] $sequence_3 = { 03f1 81e6ff000080 7908 4e 81ce00ffffff 46 0fb68c35bcfeffff } // n = 7, score = 100 // 03f1 | add esi, ecx // 81e6ff000080 | and esi, 0x800000ff // 7908 | jns 0xa // 4e | dec esi // 81ce00ffffff | or esi, 0xffffff00 // 46 | inc esi // 0fb68c35bcfeffff | movzx ecx, byte ptr [ebp + esi - 0x144] $sequence_4 = { 8d45f8 ba01000000 e8???????? 837df800 0f8576ffffff } // n = 5, score = 100 // 8d45f8 | lea eax, [ebp - 8] // ba01000000 | mov edx, 1 // e8???????? | // 837df800 | cmp dword ptr [ebp - 8], 0 // 0f8576ffffff | jne 0xffffff7c $sequence_5 = { b900000000 e8???????? 33c0 5a 59 59 } // n = 6, score = 100 // b900000000 | mov ecx, 0 // e8???????? | // 33c0 | xor eax, eax // 5a | pop edx // 59 | pop ecx // 59 | pop ecx $sequence_6 = { 8b45fc e8???????? 50 8b45f0 } // n = 4, score = 100 // 8b45fc | mov eax, dword ptr [ebp - 4] // e8???????? | // 50 | push eax // 8b45f0 | mov eax, dword ptr [ebp - 0x10] $sequence_7 = { 29de eb59 fec5 668b1e } // n = 4, score = 100 // 29de | sub esi, ebx // eb59 | jmp 0x5b // fec5 | inc ch // 668b1e | mov bx, word ptr [esi] $sequence_8 = { 884415e4 43 80fb08 7537 8d45e4 e8???????? } // n = 6, score = 100 // 884415e4 | mov byte ptr [ebp + edx - 0x1c], al // 43 | inc ebx // 80fb08 | cmp bl, 8 // 7537 | jne 0x39 // 8d45e4 | lea eax, [ebp - 0x1c] // e8???????? | $sequence_9 = { e8???????? 85c0 7467 8b45fc 8b34b8 85f6 } // n = 6, score = 100 // e8???????? | // 85c0 | test eax, eax // 7467 | je 0x69 // 8b45fc | mov eax, dword ptr [ebp - 4] // 8b34b8 | mov esi, dword ptr [eax + edi*4] // 85f6 | test esi, esi condition: 7 of them and filesize < 172032 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY