Actor(s): APT32
There is no description at this point.
rule win_kerrdown_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.kerrdown." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 1e f2cd3a bdbe33f88e 0a627a } // n = 4, score = 200 // 1e | push ds // f2cd3a | int 0x3a // bdbe33f88e | mov ebp, 0x8ef833be // 0a627a | or ah, byte ptr [edx + 0x7a] $sequence_1 = { c64405e800 40 83f804 7cef 33db 0f1f4000 } // n = 6, score = 200 // c64405e800 | mov byte ptr [ebp + eax - 0x18], 0 // 40 | inc eax // 83f804 | cmp eax, 4 // 7cef | jl 0xfffffff1 // 33db | xor ebx, ebx // 0f1f4000 | nop dword ptr [eax] $sequence_2 = { de05???????? 7f75 7217 a4 7d15 6bcdac 73d0 } // n = 7, score = 200 // de05???????? | // 7f75 | jg 0x77 // 7217 | jb 0x19 // a4 | movsb byte ptr es:[edi], byte ptr [esi] // 7d15 | jge 0x17 // 6bcdac | imul ecx, ebp, -0x54 // 73d0 | jae 0xffffffd2 $sequence_3 = { 80fb3d 0f84ad000000 0fb6c3 50 e8???????? 83c404 85c0 } // n = 7, score = 200 // 80fb3d | cmp bl, 0x3d // 0f84ad000000 | je 0xb3 // 0fb6c3 | movzx eax, bl // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // 85c0 | test eax, eax $sequence_4 = { 7d2a 8afe 3adb e07c } // n = 4, score = 200 // 7d2a | jge 0x2c // 8afe | mov bh, dh // 3adb | cmp bl, bl // e07c | loopne 0x7e $sequence_5 = { 6f d80b 8be5 59 dab2aa46c72b 308711e6952c } // n = 6, score = 200 // 6f | outsd dx, dword ptr [esi] // d80b | fmul dword ptr [ebx] // 8be5 | mov esp, ebp // 59 | pop ecx // dab2aa46c72b | fidiv dword ptr [edx + 0x2bc746aa] // 308711e6952c | xor byte ptr [edi + 0x2c95e611], al $sequence_6 = { 8ac4 80e203 c0e004 02d1 8855e4 8a55ea } // n = 6, score = 200 // 8ac4 | mov al, ah // 80e203 | and dl, 3 // c0e004 | shl al, 4 // 02d1 | add dl, cl // 8855e4 | mov byte ptr [ebp - 0x1c], dl // 8a55ea | mov dl, byte ptr [ebp - 0x16] $sequence_7 = { 75be ddd8 db2d???????? b802000000 833d????????00 0f85400a0000 } // n = 6, score = 200 // 75be | jne 0xffffffc0 // ddd8 | fstp st(0) // db2d???????? | // b802000000 | mov eax, 2 // 833d????????00 | // 0f85400a0000 | jne 0xa46 $sequence_8 = { 8bd3 2bd6 8a0e 8d7601 884c32ff 84c9 75f3 } // n = 7, score = 200 // 8bd3 | mov edx, ebx // 2bd6 | sub edx, esi // 8a0e | mov cl, byte ptr [esi] // 8d7601 | lea esi, [esi + 1] // 884c32ff | mov byte ptr [edx + esi - 1], cl // 84c9 | test cl, cl // 75f3 | jne 0xfffffff5 $sequence_9 = { f1 f6a2a19e0188 0569e1e9cf bdea322709 1d7fd77368 6c } // n = 6, score = 200 // f1 | int1 // f6a2a19e0188 | mul byte ptr [edx - 0x77fe615f] // 0569e1e9cf | add eax, 0xcfe9e169 // bdea322709 | mov ebp, 0x92732ea // 1d7fd77368 | sbb eax, 0x6873d77f // 6c | insb byte ptr es:[edi], dx condition: 7 of them and filesize < 278528 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY