Actor(s): Greenbug
There is no description at this point.
rule win_ismdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.ismdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83f8ff 7504 32c0 eb05 c0e804 2401 84c0 } // n = 7, score = 400 // 83f8ff | cmp eax, -1 // 7504 | jne 6 // 32c0 | xor al, al // eb05 | jmp 7 // c0e804 | shr al, 4 // 2401 | and al, 1 // 84c0 | test al, al $sequence_1 = { 48c745d80f000000 4c8965d0 c645c000 48837d5810 7209 488b4d40 e8???????? } // n = 7, score = 300 // 48c745d80f000000 | mov ebp, edx // 4c8965d0 | dec eax // c645c000 | cmp ecx, edx // 48837d5810 | je 0xe9 // 7209 | dec eax // 488b4d40 | mov dword ptr [esp + 0x30], ebx // e8???????? | $sequence_2 = { 488d8a10010000 e9???????? 488d8ad0000000 e9???????? 488d8a68010000 e9???????? 488b8a50000000 } // n = 7, score = 300 // 488d8a10010000 | jb 0x18 // e9???????? | // 488d8ad0000000 | dec eax // e9???????? | // 488d8a68010000 | mov ecx, dword ptr [ebp + 0x40] // e9???????? | // 488b8a50000000 | jb 0x253 $sequence_3 = { 498bd6 498bc9 e8???????? 90 488b15???????? 4881c2c0000000 } // n = 6, score = 300 // 498bd6 | jne 0x32 // 498bc9 | dec ecx // e8???????? | // 90 | mov edx, esi // 488b15???????? | // 4881c2c0000000 | dec ecx $sequence_4 = { 0f824d020000 48895d40 488d4530 4883fa10 480f43c1 c6041800 } // n = 6, score = 300 // 0f824d020000 | dec eax // 48895d40 | mov dword ptr [esp + 0x38], edi // 488d4530 | dec ecx // 4883fa10 | lea edi, [eax + 0x28] // 480f43c1 | dec eax // c6041800 | mov dword ptr [ebp - 0x28], 0xf $sequence_5 = { 498bf0 488bea 483bca 0f84e3000000 48895c2430 48897c2438 498d7828 } // n = 7, score = 300 // 498bf0 | mov ecx, ecx // 488bea | nop // 483bca | dec eax // 0f84e3000000 | add edx, 0xc0 // 48895c2430 | dec ecx // 48897c2438 | mov esi, eax // 498d7828 | dec eax $sequence_6 = { e8???????? 488b4f38 488b01 8b5f20 ff5008 8a15???????? 41bc02000000 } // n = 7, score = 300 // e8???????? | // 488b4f38 | dec esp // 488b01 | mov dword ptr [ebp - 0x30], esp // 8b5f20 | mov byte ptr [ebp - 0x40], 0 // ff5008 | dec eax // 8a15???????? | // 41bc02000000 | cmp dword ptr [ebp + 0x58], 0x10 $sequence_7 = { 488bf8 ff15???????? 85c0 7530 } // n = 4, score = 300 // 488bf8 | dec eax // ff15???????? | // 85c0 | mov edi, eax // 7530 | test eax, eax $sequence_8 = { c645fc04 898688000000 33c0 c7868000000000000000 } // n = 4, score = 100 // c645fc04 | mov byte ptr [ebp - 4], 4 // 898688000000 | mov dword ptr [esi + 0x88], eax // 33c0 | xor eax, eax // c7868000000000000000 | mov dword ptr [esi + 0x80], 0 $sequence_9 = { dd00 dd5de8 eb2e c745dcc85f4700 } // n = 4, score = 100 // dd00 | fld qword ptr [eax] // dd5de8 | fstp qword ptr [ebp - 0x18] // eb2e | jmp 0x30 // c745dcc85f4700 | mov dword ptr [ebp - 0x24], 0x475fc8 $sequence_10 = { c68540ffffff00 83bd24ffffff10 720e ffb510ffffff } // n = 4, score = 100 // c68540ffffff00 | mov byte ptr [ebp - 0xc0], 0 // 83bd24ffffff10 | cmp dword ptr [ebp - 0xdc], 0x10 // 720e | jb 0x10 // ffb510ffffff | push dword ptr [ebp - 0xf0] $sequence_11 = { 6aff 50 56 8d4c2460 c744247407000000 } // n = 5, score = 100 // 6aff | push -1 // 50 | push eax // 56 | push esi // 8d4c2460 | lea ecx, [esp + 0x60] // c744247407000000 | mov dword ptr [esp + 0x74], 7 $sequence_12 = { 7d0d 8a441918 888170674800 41 ebe8 8975e4 } // n = 6, score = 100 // 7d0d | jge 0xf // 8a441918 | mov al, byte ptr [ecx + ebx + 0x18] // 888170674800 | mov byte ptr [ecx + 0x486770], al // 41 | inc ecx // ebe8 | jmp 0xffffffea // 8975e4 | mov dword ptr [ebp - 0x1c], esi $sequence_13 = { c645fc0f 8d8d64ffffff e8???????? 83c41c } // n = 4, score = 100 // c645fc0f | mov byte ptr [ebp - 4], 0xf // 8d8d64ffffff | lea ecx, [ebp - 0x9c] // e8???????? | // 83c41c | add esp, 0x1c $sequence_14 = { e8???????? 8d4de4 c645fc00 e8???????? 83c430 ba01000000 } // n = 6, score = 100 // e8???????? | // 8d4de4 | lea ecx, [ebp - 0x1c] // c645fc00 | mov byte ptr [ebp - 4], 0 // e8???????? | // 83c430 | add esp, 0x30 // ba01000000 | mov edx, 1 condition: 7 of them and filesize < 1933312 }
rule win_ismdoor_w0 { meta: author = "Florian Roth" reference = "https://goo.gl/urp4CD" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii $o1 = "========================== (Net User) ==========================" ascii fullword condition: 1 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY