Actor(s): Greenbug
There is no description at this point.
rule win_ismdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.ismdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb05 c0e804 2401 84c0 0f94c3 } // n = 5, score = 400 // eb05 | jmp 7 // c0e804 | shr al, 4 // 2401 | and al, 1 // 84c0 | test al, al // 0f94c3 | sete bl $sequence_1 = { 498bc1 48f7e9 48c1fa05 488bca 48c1e93f } // n = 5, score = 300 // 498bc1 | je 0x28 // 48f7e9 | dec ebp // 48c1fa05 | mov eax, esi // 488bca | inc ecx // 48c1e93f | cmp edi, esi $sequence_2 = { 488b16 4903d7 4c896517 4c89651f 48c7451f0f000000 } // n = 5, score = 300 // 488b16 | dec eax // 4903d7 | mov ecx, ebp // 4c896517 | dec ecx // 4c89651f | mov eax, ecx // 48c7451f0f000000 | dec eax $sequence_3 = { 4885c0 7471 4d85f6 7421 4d8bc6 } // n = 5, score = 300 // 4885c0 | je 0x35 // 7471 | dec eax // 4d85f6 | mov dword ptr [esp + 0x28], 0xffffffff // 7421 | dec eax // 4d8bc6 | mov dword ptr [esp + 0x20], ebx $sequence_4 = { eb03 482bd0 440fb64e10 41b801000000 488bcb e8???????? } // n = 6, score = 300 // eb03 | jae 0x15 // 482bd0 | inc esp // 440fb64e10 | sub esi, edi // 41b801000000 | dec eax // 488bcb | mov edx, ebx // e8???????? | $sequence_5 = { 4c8bbd80000000 4883ffff 7433 48c7442428ffffffff 48895c2420 } // n = 5, score = 300 // 4c8bbd80000000 | cmp dword ptr [eax + 4], edx // 4883ffff | dec esp // 7433 | mov edi, dword ptr [ebp + 0x80] // 48c7442428ffffffff | dec eax // 48895c2420 | cmp edi, -1 $sequence_6 = { 4883fb08 7cf0 eb1b 395004 } // n = 4, score = 300 // 4883fb08 | dec eax // 7cf0 | cmp ebx, 8 // eb1b | jl 0xfffffff2 // 395004 | jmp 0x1d $sequence_7 = { 413bfe 7313 442bf7 488bd3 488bcd } // n = 5, score = 300 // 413bfe | dec eax // 7313 | test eax, eax // 442bf7 | je 0x73 // 488bd3 | dec ebp // 488bcd | test esi, esi $sequence_8 = { 7469 a1???????? 85c0 7535 } // n = 4, score = 100 // 7469 | je 0x6b // a1???????? | // 85c0 | test eax, eax // 7535 | jne 0x37 $sequence_9 = { 57 8b7d08 23c8 394e18 7709 } // n = 5, score = 100 // 57 | push edi // 8b7d08 | mov edi, dword ptr [ebp + 8] // 23c8 | and ecx, eax // 394e18 | cmp dword ptr [esi + 0x18], ecx // 7709 | ja 0xb $sequence_10 = { 59 83f80a 732f 8a80181e4700 } // n = 4, score = 100 // 59 | pop ecx // 83f80a | cmp eax, 0xa // 732f | jae 0x31 // 8a80181e4700 | mov al, byte ptr [eax + 0x471e18] $sequence_11 = { 8b048528a54800 8064082480 8ac2 8b4d14 } // n = 4, score = 100 // 8b048528a54800 | mov eax, dword ptr [eax*4 + 0x48a528] // 8064082480 | and byte ptr [eax + ecx + 0x24], 0x80 // 8ac2 | mov al, dl // 8b4d14 | mov ecx, dword ptr [ebp + 0x14] $sequence_12 = { e8???????? 83ec08 c645fc2c 8d4db8 e8???????? 8d8574ffffff } // n = 6, score = 100 // e8???????? | // 83ec08 | sub esp, 8 // c645fc2c | mov byte ptr [ebp - 4], 0x2c // 8d4db8 | lea ecx, [ebp - 0x48] // e8???????? | // 8d8574ffffff | lea eax, [ebp - 0x8c] $sequence_13 = { e8???????? 8d4dd4 c645fc03 51 8bd0 } // n = 5, score = 100 // e8???????? | // 8d4dd4 | lea ecx, [ebp - 0x2c] // c645fc03 | mov byte ptr [ebp - 4], 3 // 51 | push ecx // 8bd0 | mov edx, eax $sequence_14 = { 32c9 c645fc31 e8???????? 83c430 c645fc1e } // n = 5, score = 100 // 32c9 | xor cl, cl // c645fc31 | mov byte ptr [ebp - 4], 0x31 // e8???????? | // 83c430 | add esp, 0x30 // c645fc1e | mov byte ptr [ebp - 4], 0x1e condition: 7 of them and filesize < 1933312 }
rule win_ismdoor_w0 { meta: author = "Florian Roth" reference = "https://goo.gl/urp4CD" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii $o1 = "========================== (Net User) ==========================" ascii fullword condition: 1 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY