Actor(s): Greenbug
There is no description at this point.
rule win_ismdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-29" version = "1" description = "Detects win.ismdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 32c0 eb05 c0e804 2401 84c0 0f94c3 } // n = 6, score = 400 // 32c0 | xor al, al // eb05 | jmp 7 // c0e804 | shr al, 4 // 2401 | and al, 1 // 84c0 | test al, al // 0f94c3 | sete bl $sequence_1 = { e9???????? 488b8a58000000 e9???????? 488b8a40000000 4883c140 e9???????? } // n = 6, score = 300 // e9???????? | // 488b8a58000000 | dec ebp // e9???????? | // 488b8a40000000 | lea eax, [eax + 0x10] // 4883c140 | inc ecx // e9???????? | $sequence_2 = { 488bd0 41b801000000 498bce ffd3 } // n = 4, score = 300 // 488bd0 | mov ecx, dword ptr [edx + 0x40] // 41b801000000 | dec eax // 498bce | add ecx, 0x20 // ffd3 | dec eax $sequence_3 = { c684245801000000 4883bc245001000010 720d 488b8c2438010000 } // n = 4, score = 300 // c684245801000000 | mov dword ptr [eax - 8], eax // 4883bc245001000010 | dec esp // 720d | cmp ecx, esi // 488b8c2438010000 | dec eax $sequence_4 = { e9???????? 488b8a40000000 4883c120 e9???????? 488b8a60000000 } // n = 5, score = 300 // e9???????? | // 488b8a40000000 | dec ecx // 4883c120 | mov dword ptr [eax], eax // e9???????? | // 488b8a60000000 | mov eax, dword ptr [ecx + 8] $sequence_5 = { 448be0 488d4d00 e8???????? 4c8b6c2460 4585e4 } // n = 5, score = 300 // 448be0 | inc esp // 488d4d00 | mov esp, eax // e8???????? | // 4c8b6c2460 | dec eax // 4585e4 | lea ecx, [ebp] $sequence_6 = { 0f1f440000 0fb701 488d4902 66894411fe } // n = 4, score = 300 // 0f1f440000 | dec esp // 0fb701 | mov ebp, dword ptr [esp + 0x60] // 488d4902 | inc ebp // 66894411fe | test esp, esp $sequence_7 = { 498900 8b4108 4d8d4010 418940f8 4c3bce } // n = 5, score = 300 // 498900 | nop dword ptr [eax + eax] // 8b4108 | movzx eax, word ptr [ecx] // 4d8d4010 | dec eax // 418940f8 | lea ecx, [ecx + 2] // 4c3bce | mov word ptr [ecx + edx - 2], ax $sequence_8 = { 8d4ddc c645fc01 e8???????? 83c430 c645fc04 b8abaaaa2a } // n = 6, score = 100 // 8d4ddc | lea ecx, [ebp - 0x24] // c645fc01 | mov byte ptr [ebp - 4], 1 // e8???????? | // 83c430 | add esp, 0x30 // c645fc04 | mov byte ptr [ebp - 4], 4 // b8abaaaa2a | mov eax, 0x2aaaaaab $sequence_9 = { 6aff c7411407000000 c7411000000000 668901 } // n = 4, score = 100 // 6aff | push -1 // c7411407000000 | mov dword ptr [ecx + 0x14], 7 // c7411000000000 | mov dword ptr [ecx + 0x10], 0 // 668901 | mov word ptr [ecx], ax $sequence_10 = { c700???????? 8d4508 ba???????? 50 } // n = 4, score = 100 // c700???????? | // 8d4508 | lea eax, [ebp + 8] // ba???????? | // 50 | push eax $sequence_11 = { 8bd0 c645fc20 8d8d20feffff e8???????? } // n = 4, score = 100 // 8bd0 | mov edx, eax // c645fc20 | mov byte ptr [ebp - 4], 0x20 // 8d8d20feffff | lea ecx, [ebp - 0x1e0] // e8???????? | $sequence_12 = { c7855cffffff00000000 c6854cffffff00 6a00 c741140f000000 } // n = 4, score = 100 // c7855cffffff00000000 | mov dword ptr [ebp - 0xa4], 0 // c6854cffffff00 | mov byte ptr [ebp - 0xb4], 0 // 6a00 | push 0 // c741140f000000 | mov dword ptr [ecx + 0x14], 0xf $sequence_13 = { e8???????? 8b957cffffff 83c618 3bf7 75eb } // n = 5, score = 100 // e8???????? | // 8b957cffffff | mov edx, dword ptr [ebp - 0x84] // 83c618 | add esi, 0x18 // 3bf7 | cmp esi, edi // 75eb | jne 0xffffffed $sequence_14 = { 84db 0f84ea000000 8b4e28 b8abaaaa2a 2b4e24 } // n = 5, score = 100 // 84db | test bl, bl // 0f84ea000000 | je 0xf0 // 8b4e28 | mov ecx, dword ptr [esi + 0x28] // b8abaaaa2a | mov eax, 0x2aaaaaab // 2b4e24 | sub ecx, dword ptr [esi + 0x24] condition: 7 of them and filesize < 1933312 }
rule win_ismdoor_w0 { meta: author = "Florian Roth" reference = "https://goo.gl/urp4CD" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii $o1 = "========================== (Net User) ==========================" ascii fullword condition: 1 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY