There is no description at this point.
rule win_jlorat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.jlorat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 660f6f8424f0030000 0f298424d0010000 0f28842450020000 0f288c24d0010000 0f289424c0010000 660f7f942410040000 } // n = 7, score = 200 // e8???????? | // 660f6f8424f0030000 | movdqa xmm0, xmmword ptr [esp + 0x3f0] // 0f298424d0010000 | movaps xmmword ptr [esp + 0x1d0], xmm0 // 0f28842450020000 | movaps xmm0, xmmword ptr [esp + 0x250] // 0f288c24d0010000 | movaps xmm1, xmmword ptr [esp + 0x1d0] // 0f289424c0010000 | movaps xmm2, xmmword ptr [esp + 0x1c0] // 660f7f942410040000 | movdqa xmmword ptr [esp + 0x410], xmm2 $sequence_1 = { f20f1101 8b4de8 64890d00000000 83c474 5e 5f 5b } // n = 7, score = 200 // f20f1101 | movsd qword ptr [ecx], xmm0 // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 64890d00000000 | mov dword ptr fs:[0], ecx // 83c474 | add esp, 0x74 // 5e | pop esi // 5f | pop edi // 5b | pop ebx $sequence_2 = { e8???????? 89442440 8b442440 83c008 89442430 c744244400000000 8b4c2444 } // n = 7, score = 200 // e8???????? | // 89442440 | mov dword ptr [esp + 0x40], eax // 8b442440 | mov eax, dword ptr [esp + 0x40] // 83c008 | add eax, 8 // 89442430 | mov dword ptr [esp + 0x30], eax // c744244400000000 | mov dword ptr [esp + 0x44], 0 // 8b4c2444 | mov ecx, dword ptr [esp + 0x44] $sequence_3 = { c74008???????? c7400421000000 c700???????? e8???????? 0f0b 8b4c2438 8b44245c } // n = 7, score = 200 // c74008???????? | // c7400421000000 | mov dword ptr [eax + 4], 0x21 // c700???????? | // e8???????? | // 0f0b | ud2 // 8b4c2438 | mov ecx, dword ptr [esp + 0x38] // 8b44245c | mov eax, dword ptr [esp + 0x5c] $sequence_4 = { e8???????? eb21 c745f008000000 89e0 8d8d60ffffff 894804 8d8d74ffffff } // n = 7, score = 200 // e8???????? | // eb21 | jmp 0x23 // c745f008000000 | mov dword ptr [ebp - 0x10], 8 // 89e0 | mov eax, esp // 8d8d60ffffff | lea ecx, [ebp - 0xa0] // 894804 | mov dword ptr [eax + 4], ecx // 8d8d74ffffff | lea ecx, [ebp - 0x8c] $sequence_5 = { eb80 8b2c24 83fb0a 83df00 733f 8b54242c 8b742404 } // n = 7, score = 200 // eb80 | jmp 0xffffff82 // 8b2c24 | mov ebp, dword ptr [esp] // 83fb0a | cmp ebx, 0xa // 83df00 | sbb edi, 0 // 733f | jae 0x41 // 8b54242c | mov edx, dword ptr [esp + 0x2c] // 8b742404 | mov esi, dword ptr [esp + 4] $sequence_6 = { eb00 8b45b4 8b4db8 c645e201 894dc4 c645e101 8945c8 } // n = 7, score = 200 // eb00 | jmp 2 // 8b45b4 | mov eax, dword ptr [ebp - 0x4c] // 8b4db8 | mov ecx, dword ptr [ebp - 0x48] // c645e201 | mov byte ptr [ebp - 0x1e], 1 // 894dc4 | mov dword ptr [ebp - 0x3c], ecx // c645e101 | mov byte ptr [ebp - 0x1f], 1 // 8945c8 | mov dword ptr [ebp - 0x38], eax $sequence_7 = { f7e1 89c1 8a842417010000 01f2 89942418010000 0f92c4 08e0 } // n = 7, score = 200 // f7e1 | mul ecx // 89c1 | mov ecx, eax // 8a842417010000 | mov al, byte ptr [esp + 0x117] // 01f2 | add edx, esi // 89942418010000 | mov dword ptr [esp + 0x118], edx // 0f92c4 | setb ah // 08e0 | or al, ah $sequence_8 = { eb00 f645d901 0f854e030000 e9???????? 8a8583feffff a801 7553 } // n = 7, score = 200 // eb00 | jmp 2 // f645d901 | test byte ptr [ebp - 0x27], 1 // 0f854e030000 | jne 0x354 // e9???????? | // 8a8583feffff | mov al, byte ptr [ebp - 0x17d] // a801 | test al, 1 // 7553 | jne 0x55 $sequence_9 = { 8b8ea0030000 8b86a4030000 898e000c0000 8986040c0000 8b86840a0000 89465c 8b86000c0000 } // n = 7, score = 200 // 8b8ea0030000 | mov ecx, dword ptr [esi + 0x3a0] // 8b86a4030000 | mov eax, dword ptr [esi + 0x3a4] // 898e000c0000 | mov dword ptr [esi + 0xc00], ecx // 8986040c0000 | mov dword ptr [esi + 0xc04], eax // 8b86840a0000 | mov eax, dword ptr [esi + 0xa84] // 89465c | mov dword ptr [esi + 0x5c], eax // 8b86000c0000 | mov eax, dword ptr [esi + 0xc00] condition: 7 of them and filesize < 10952704 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY