Actor(s): Greenbug
There is no description at this point.
rule win_ismdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.ismdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 32c0 eb05 c0e804 2401 84c0 0f94c3 } // n = 6, score = 400 // 32c0 | xor al, al // eb05 | jmp 7 // c0e804 | shr al, 4 // 2401 | and al, 1 // 84c0 | test al, al // 0f94c3 | sete bl $sequence_1 = { 488bcf e8???????? 90 488bc7 4883c440 } // n = 5, score = 300 // 488bcf | inc ecx // e8???????? | // 90 | movzx eax, si // 488bc7 | dec eax // 4883c440 | cmp dword ptr [ecx + 0x90], 0 $sequence_2 = { 83f803 7c58 4533c9 4c8bc3 488d15d4f4ffff 8bce e8???????? } // n = 7, score = 300 // 83f803 | mov dword ptr [esp + 0x30], 8 // 7c58 | test eax, eax // 4533c9 | cmp eax, 3 // 4c8bc3 | jl 0x5a // 488d15d4f4ffff | inc ebp // 8bce | xor ecx, ecx // e8???????? | $sequence_3 = { 488b0d???????? e8???????? 488bcb 4883c420 5b 48ffe0 } // n = 6, score = 300 // 488b0d???????? | // e8???????? | // 488bcb | dec esp // 4883c420 | mov eax, ebx // 5b | dec eax // 48ffe0 | lea edx, [0xfffff4d4] $sequence_4 = { 410fb7c6 e9???????? 4883b99000000000 0f84ac010000 4c8b4118 488d8180000000 } // n = 6, score = 300 // 410fb7c6 | pop ebx // e9???????? | // 4883b99000000000 | dec eax // 0f84ac010000 | jmp eax // 4c8b4118 | dec eax // 488d8180000000 | mov ecx, dword ptr [ebp + 0xe0] $sequence_5 = { 4883ec20 8b4138 8364243400 488bf9 c744243008000000 85c0 } // n = 6, score = 300 // 4883ec20 | dec eax // 8b4138 | sub esp, 0x20 // 8364243400 | mov eax, dword ptr [ecx + 0x38] // 488bf9 | and dword ptr [esp + 0x34], 0 // c744243008000000 | dec eax // 85c0 | mov edi, ecx $sequence_6 = { c744243000000000 488d0c5b 48c1e106 4803cf 4d8bc4 41be01000000 418bd6 } // n = 7, score = 300 // c744243000000000 | dec eax // 488d0c5b | mov dword ptr [ebp + 0xf8], 0xf // 48c1e106 | dec esp // 4803cf | mov dword ptr [ebp + 0xf0], edi // 4d8bc4 | mov byte ptr [ebp + 0xe0], 0 // 41be01000000 | dec eax // 418bd6 | cmp dword ptr [ebp - 0x68], 0x10 $sequence_7 = { 488b8de0000000 e8???????? 48c785f80000000f000000 4c89bdf0000000 c685e000000000 48837d9810 } // n = 6, score = 300 // 488b8de0000000 | mov ecx, esi // e8???????? | // 48c785f80000000f000000 | dec eax // 4c89bdf0000000 | mov ecx, ebx // c685e000000000 | dec eax // 48837d9810 | add esp, 0x20 $sequence_8 = { b8abaaaa2a 8b4c2470 2b4c246c f7e9 895c2410 } // n = 5, score = 100 // b8abaaaa2a | mov eax, 0x2aaaaaab // 8b4c2470 | mov ecx, dword ptr [esp + 0x70] // 2b4c246c | sub ecx, dword ptr [esp + 0x6c] // f7e9 | imul ecx // 895c2410 | mov dword ptr [esp + 0x10], ebx $sequence_9 = { 83f816 731c 83fe08 7d0a 8a80a01e4700 8803 } // n = 6, score = 100 // 83f816 | cmp eax, 0x16 // 731c | jae 0x1e // 83fe08 | cmp esi, 8 // 7d0a | jge 0xc // 8a80a01e4700 | mov al, byte ptr [eax + 0x471ea0] // 8803 | mov byte ptr [ebx], al $sequence_10 = { 84c0 0f94c0 84c0 0f84e6000000 68???????? } // n = 5, score = 100 // 84c0 | test al, al // 0f94c0 | sete al // 84c0 | test al, al // 0f84e6000000 | je 0xec // 68???????? | $sequence_11 = { 7720 837c246808 89542464 0f43442454 33c9 66890c50 } // n = 6, score = 100 // 7720 | ja 0x22 // 837c246808 | cmp dword ptr [esp + 0x68], 8 // 89542464 | mov dword ptr [esp + 0x64], edx // 0f43442454 | cmovae eax, dword ptr [esp + 0x54] // 33c9 | xor ecx, ecx // 66890c50 | mov word ptr [eax + edx*2], cx $sequence_12 = { 2bc8 d1f9 85c0 7513 } // n = 4, score = 100 // 2bc8 | sub ecx, eax // d1f9 | sar ecx, 1 // 85c0 | test eax, eax // 7513 | jne 0x15 $sequence_13 = { 751c ff7350 ff742420 e8???????? } // n = 4, score = 100 // 751c | jne 0x1e // ff7350 | push dword ptr [ebx + 0x50] // ff742420 | push dword ptr [esp + 0x20] // e8???????? | $sequence_14 = { 8d45f4 64a300000000 8965f0 8bf1 8d45b0 8975a8 } // n = 6, score = 100 // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 8965f0 | mov dword ptr [ebp - 0x10], esp // 8bf1 | mov esi, ecx // 8d45b0 | lea eax, [ebp - 0x50] // 8975a8 | mov dword ptr [ebp - 0x58], esi condition: 7 of them and filesize < 1933312 }
rule win_ismdoor_w0 { meta: author = "Florian Roth" reference = "https://goo.gl/urp4CD" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter" fullword ascii $x2 = "cmd /a /c net user administrator /domain >>" fullword ascii $x3 = "cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\" fullword ascii $o1 = "========================== (Net User) ==========================" ascii fullword condition: 1 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY