SYMBOLCOMMON_NAMEaka. SYNONYMS
win.killav (Back to overview)

KillAV

There is no description at this point.

References
2022-02-26AonEduardo Mattos, Rob Homewood
@online{mattos:20220226:yours:2cd2d24, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-22} } Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Cuba KillAV
2022-02-26AonEduardo Mattos, Rob Homewood
@online{mattos:20220226:yours:aa5994a, author = {Eduardo Mattos and Rob Homewood}, title = {{Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver}}, date = {2022-02-26}, organization = {Aon}, url = {https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/}, language = {English}, urldate = {2022-03-01} } Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
KillAV
Yara Rules
[TLP:WHITE] win_killav_auto (20230125 | Detects win.killav.)
rule win_killav_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.killav."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660f122c8568144300 03c0 660f28348580184300 ba7f3e0400 e9???????? 8bd0 81e2ffffff7f }
            // n = 7, score = 100
            //   660f122c8568144300     | movlpd    xmm5, qword ptr [eax*4 + 0x431468]
            //   03c0                 | add                 eax, eax
            //   660f28348580184300     | movapd    xmm6, xmmword ptr [eax*4 + 0x431880]
            //   ba7f3e0400           | mov                 edx, 0x43e7f
            //   e9????????           |                     
            //   8bd0                 | mov                 edx, eax
            //   81e2ffffff7f         | and                 edx, 0x7fffffff

        $sequence_1 = { c645fc05 50 8d4dd0 e8???????? c645fc00 }
            // n = 5, score = 100
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   50                   | push                eax
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0

        $sequence_2 = { c745e800000000 c745ec07000000 668945d8 e8???????? 8d45d8 c645fc2f 50 }
            // n = 7, score = 100
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   c745ec07000000       | mov                 dword ptr [ebp - 0x14], 7
            //   668945d8             | mov                 word ptr [ebp - 0x28], ax
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   c645fc2f             | mov                 byte ptr [ebp - 4], 0x2f
            //   50                   | push                eax

        $sequence_3 = { 40 e9???????? 8365c000 c745c46ecb4000 a1???????? 8d4dc0 }
            // n = 6, score = 100
            //   40                   | inc                 eax
            //   e9????????           |                     
            //   8365c000             | and                 dword ptr [ebp - 0x40], 0
            //   c745c46ecb4000       | mov                 dword ptr [ebp - 0x3c], 0x40cb6e
            //   a1????????           |                     
            //   8d4dc0               | lea                 ecx, [ebp - 0x40]

        $sequence_4 = { 668945d8 e8???????? 8d45d8 c645fc11 50 8d4dd0 }
            // n = 6, score = 100
            //   668945d8             | mov                 word ptr [ebp - 0x28], ax
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   c645fc11             | mov                 byte ptr [ebp - 4], 0x11
            //   50                   | push                eax
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]

        $sequence_5 = { c7443090d4604300 8b4690 8b4804 8d4190 8944318c 8d4ea0 }
            // n = 6, score = 100
            //   c7443090d4604300     | mov                 dword ptr [eax + esi - 0x70], 0x4360d4
            //   8b4690               | mov                 eax, dword ptr [esi - 0x70]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d4190               | lea                 eax, [ecx - 0x70]
            //   8944318c             | mov                 dword ptr [ecx + esi - 0x74], eax
            //   8d4ea0               | lea                 ecx, [esi - 0x60]

        $sequence_6 = { e8???????? 8d45d8 c645fc33 50 8d4dd0 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   c645fc33             | mov                 byte ptr [ebp - 4], 0x33
            //   50                   | push                eax
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]

        $sequence_7 = { 894df4 8955ec 8b04bd70ba4300 e9???????? 8bc1 f7d0 a801 }
            // n = 7, score = 100
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b04bd70ba4300       | mov                 eax, dword ptr [edi*4 + 0x43ba70]
            //   e9????????           |                     
            //   8bc1                 | mov                 eax, ecx
            //   f7d0                 | not                 eax
            //   a801                 | test                al, 1

        $sequence_8 = { c645fc15 50 8d4dd0 e8???????? c645fc00 }
            // n = 5, score = 100
            //   c645fc15             | mov                 byte ptr [ebp - 4], 0x15
            //   50                   | push                eax
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0

        $sequence_9 = { 8b4508 dd00 ebc2 c745e40ce34200 eb19 c745e414e34200 }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc2                 | jmp                 0xffffffc4
            //   c745e40ce34200       | mov                 dword ptr [ebp - 0x1c], 0x42e30c
            //   eb19                 | jmp                 0x1b
            //   c745e414e34200       | mov                 dword ptr [ebp - 0x1c], 0x42e314

    condition:
        7 of them and filesize < 517120
}
Download all Yara Rules