There is no description at this point.
rule win_jinxloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.jinxloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jinxloader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 488b542460 488b7a08 488b7210 4c8b4218 90 4889f8 } // n = 7, score = 100 // e8???????? | // 488b542460 | nop dword ptr [eax] // 488b7a08 | dec eax // 488b7210 | cmp edx, 3 // 4c8b4218 | jbe 0xcb2 // 90 | dec ecx // 4889f8 | mov edx, ecx $sequence_1 = { 55 4889e5 4883ec38 48ba75739294b2366a91 488954242a 48ba6a917288a2a5d16f 4889542430 } // n = 7, score = 100 // 55 | add byte ptr [eax - 0x46], cl // 4889e5 | cmpsb byte ptr [esi], byte ptr es:[edi] // 4883ec38 | jle 0x79 // 48ba75739294b2366a91 | scasd eax, dword ptr es:[edi] // 488954242a | jle 5 // 48ba6a917288a2a5d16f | adc cl, byte ptr [0x24948948] // 4889542430 | fiadd word ptr [edx] $sequence_2 = { e8???????? 48895c2418 48898424f0000000 90 488d0542f42500 6690 e8???????? } // n = 7, score = 100 // e8???????? | // 48895c2418 | mov ecx, dword ptr [esp + 0x30] // 48898424f0000000 | dec eax // 90 | mov dword ptr [eax + 8], ecx // 488d0542f42500 | jne 0x1c19 // 6690 | dec eax // e8???????? | $sequence_3 = { 90 e8???????? 488b4c2478 4839c8 7351 488b4c2440 8b5104 } // n = 7, score = 100 // 90 | mov ecx, dword ptr [esp + 0xeb0] // e8???????? | // 488b4c2478 | dec ecx // 4839c8 | mov dword ptr [ebx], ecx // 7351 | dec eax // 488b4c2440 | mov dword ptr [eax + 0x18], ecx // 8b5104 | dec eax $sequence_4 = { ffd7 488b4c2418 48ffc1 488b442470 488b542438 488b5c2478 488bb42488000000 } // n = 7, score = 100 // ffd7 | dec eax // 488b4c2418 | cmp ecx, 2 // 48ffc1 | jge 0x604 // 488b442470 | dec eax // 488b542438 | mov dword ptr [esp + 0x50], ecx // 488b5c2478 | dec eax // 488bb42488000000 | mov dword ptr [esp + 0xb0], eax $sequence_5 = { 89f7 31d6 8d3430 8d76b4 4883fa1d 7337 440fb644141b } // n = 7, score = 100 // 89f7 | dec eax // 31d6 | mov eax, dword ptr [esp + 0x1d8] // 8d3430 | dec eax // 8d76b4 | cmp eax, ecx // 4883fa1d | ja 0x1824 // 7337 | dec esp // 440fb644141b | mov ecx, dword ptr [esp + 0x1b0] $sequence_6 = { eb03 4889ca 4889942418040000 488b942400030000 4889942420040000 488d8c2418040000 bf01000000 } // n = 7, score = 100 // eb03 | dec eax // 4889ca | mov dword ptr [esp + 0x214], edx // 4889942418040000 | xor eax, eax // 488b942400030000 | jmp 0x1e4 // 4889942420040000 | movzx edx, byte ptr [esp + eax + 0x21c] // 488d8c2418040000 | dec eax // bf01000000 | mov edx, 0x7cd0f364 $sequence_7 = { e8???????? 4889c1 4889df 488d05eea11700 488b9c24b8000000 e8???????? 488b8424c8000000 } // n = 7, score = 100 // e8???????? | // 4889c1 | mov edx, dword ptr [esp + 0xb0] // 4889df | dec eax // 488d05eea11700 | mov ebx, dword ptr [esp + 0x1e8] // 488b9c24b8000000 | dec eax // e8???????? | // 488b8424c8000000 | lea eax, [0x405fb7] $sequence_8 = { b871000000 ffd1 488b08 4889c2 b88effffff ffd1 488b08 } // n = 7, score = 100 // b871000000 | dec eax // ffd1 | mov edx, dword ptr [esp + 0x250] // 488b08 | dec eax // 4889c2 | mov dword ptr [eax + 0x10], edx // b88effffff | jne 0x18b5 // ffd1 | dec eax // 488b08 | mov edx, dword ptr [esp + 0x13c0] $sequence_9 = { e8???????? 8b4c2458 8908 488b4c2450 48894c2438 4889442430 488b4c2460 } // n = 7, score = 100 // e8???????? | // 8b4c2458 | lea eax, [0x1635c6] // 8908 | dec eax // 488b4c2450 | lea edi, [edi - 0x20] // 48894c2438 | nop dword ptr [eax + eax] // 4889442430 | dec eax // 488b4c2460 | mov dword ptr [esp - 0x10], ebp condition: 7 of them and filesize < 20364288 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY