Actor(s): Lotus Blossom
There is no description at this point.
rule win_elise_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.elise." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7475 8b4d08 0b4d0c 745f 3b4648 735a } // n = 6, score = 400 // 7475 | je 0x77 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 0b4d0c | or ecx, dword ptr [ebp + 0xc] // 745f | je 0x61 // 3b4648 | cmp eax, dword ptr [esi + 0x48] // 735a | jae 0x5c $sequence_1 = { 83400801 6a04 5e 11580c 8955fc } // n = 5, score = 400 // 83400801 | add dword ptr [eax + 8], 1 // 6a04 | push 4 // 5e | pop esi // 11580c | adc dword ptr [eax + 0xc], ebx // 8955fc | mov dword ptr [ebp - 4], edx $sequence_2 = { 8bfe e8???????? 8945f4 83f8ff } // n = 4, score = 400 // 8bfe | mov edi, esi // e8???????? | // 8945f4 | mov dword ptr [ebp - 0xc], eax // 83f8ff | cmp eax, -1 $sequence_3 = { 8d46c0 8945f0 83f804 0f8299000000 33db } // n = 5, score = 400 // 8d46c0 | lea eax, [esi - 0x40] // 8945f0 | mov dword ptr [ebp - 0x10], eax // 83f804 | cmp eax, 4 // 0f8299000000 | jb 0x9f // 33db | xor ebx, ebx $sequence_4 = { 7cf5 33c9 888f00010000 888f01010000 8bf7 } // n = 5, score = 400 // 7cf5 | jl 0xfffffff7 // 33c9 | xor ecx, ecx // 888f00010000 | mov byte ptr [edi + 0x100], cl // 888f01010000 | mov byte ptr [edi + 0x101], cl // 8bf7 | mov esi, edi $sequence_5 = { 8d041f ff75e4 50 e8???????? 033d???????? } // n = 5, score = 400 // 8d041f | lea eax, [edi + ebx] // ff75e4 | push dword ptr [ebp - 0x1c] // 50 | push eax // e8???????? | // 033d???????? | $sequence_6 = { 395d08 7307 8b5d08 c645ff01 895de4 85db } // n = 6, score = 400 // 395d08 | cmp dword ptr [ebp + 8], ebx // 7307 | jae 9 // 8b5d08 | mov ebx, dword ptr [ebp + 8] // c645ff01 | mov byte ptr [ebp - 1], 1 // 895de4 | mov dword ptr [ebp - 0x1c], ebx // 85db | test ebx, ebx $sequence_7 = { 034e3c b800030000 d3e0 53 } // n = 4, score = 400 // 034e3c | add ecx, dword ptr [esi + 0x3c] // b800030000 | mov eax, 0x300 // d3e0 | shl eax, cl // 53 | push ebx $sequence_8 = { 8945dc 33c0 8d7dec ab ab } // n = 5, score = 400 // 8945dc | mov dword ptr [ebp - 0x24], eax // 33c0 | xor eax, eax // 8d7dec | lea edi, [ebp - 0x14] // ab | stosd dword ptr es:[edi], eax // ab | stosd dword ptr es:[edi], eax $sequence_9 = { e9???????? 833d????????00 7405 e8???????? 83c8ff } // n = 5, score = 300 // e9???????? | // 833d????????00 | // 7405 | je 7 // e8???????? | // 83c8ff | or eax, 0xffffffff $sequence_10 = { 33c2 eb02 d1e8 4e 75f1 } // n = 5, score = 300 // 33c2 | xor eax, edx // eb02 | jmp 4 // d1e8 | shr eax, 1 // 4e | dec esi // 75f1 | jne 0xfffffff3 $sequence_11 = { 8a9001010000 0f8e93000000 53 56 57 0fb6f1 } // n = 6, score = 300 // 8a9001010000 | mov dl, byte ptr [eax + 0x101] // 0f8e93000000 | jle 0x99 // 53 | push ebx // 56 | push esi // 57 | push edi // 0fb6f1 | movzx esi, cl $sequence_12 = { 33c9 6a08 8bc1 5e a801 7406 } // n = 6, score = 300 // 33c9 | xor ecx, ecx // 6a08 | push 8 // 8bc1 | mov eax, ecx // 5e | pop esi // a801 | test al, 1 // 7406 | je 8 $sequence_13 = { 59 8b45f0 8b55f4 5f 5e 5b } // n = 6, score = 300 // 59 | pop ecx // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // 5f | pop edi // 5e | pop esi // 5b | pop ebx $sequence_14 = { 8d4e01 81e1ff000080 7908 49 81c900ffffff 41 } // n = 6, score = 300 // 8d4e01 | lea ecx, [esi + 1] // 81e1ff000080 | and ecx, 0x800000ff // 7908 | jns 0xa // 49 | dec ecx // 81c900ffffff | or ecx, 0xffffff00 // 41 | inc ecx $sequence_15 = { 301f ff45f8 8b7df8 3b7d0c 0f8c7bffffff } // n = 5, score = 300 // 301f | xor byte ptr [edi], bl // ff45f8 | inc dword ptr [ebp - 8] // 8b7df8 | mov edi, dword ptr [ebp - 8] // 3b7d0c | cmp edi, dword ptr [ebp + 0xc] // 0f8c7bffffff | jl 0xffffff81 condition: 7 of them and filesize < 204800 }
rule win_elise_w0 { meta: author = "ThreatConnect Intelligence Research Team - Wes Hurd" license = "Usage of this signature is subject to the ThreatConnect Terms of Service, which are incorporated herein by reference." source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Elise.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $0E = "\\000ELISEA" $D = "~DF37382D8F2E.tmp" nocase wide ascii $SE = "SetElise.pdb" wide ascii $xpage = "/%x/page_%02d%02d%02d%02d.html" wide ascii condition: any of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY