Actor(s): Lazarus Group, Sandworm, TeleBots
There is no description at this point.
rule win_killdisk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83ffff 0f84ab000000 57 ff15???????? 8bc3 8d4c2424 897e08 } // n = 7, score = 100 // 83ffff | cmp edi, -1 // 0f84ab000000 | je 0xb1 // 57 | push edi // ff15???????? | // 8bc3 | mov eax, ebx // 8d4c2424 | lea ecx, [esp + 0x24] // 897e08 | mov dword ptr [esi + 8], edi $sequence_1 = { 8945fc 53 8b1d???????? 56 57 8bf9 33c9 } // n = 7, score = 100 // 8945fc | mov dword ptr [ebp - 4], eax // 53 | push ebx // 8b1d???????? | // 56 | push esi // 57 | push edi // 8bf9 | mov edi, ecx // 33c9 | xor ecx, ecx $sequence_2 = { 6a00 6a00 8d542418 52 68???????? 6800004006 } // n = 6, score = 100 // 6a00 | push 0 // 6a00 | push 0 // 8d542418 | lea edx, [esp + 0x18] // 52 | push edx // 68???????? | // 6800004006 | push 0x6400000 $sequence_3 = { 60 9c 8f442428 882424 881c24 e8???????? d2cd } // n = 7, score = 100 // 60 | pushal // 9c | pushfd // 8f442428 | pop dword ptr [esp + 0x28] // 882424 | mov byte ptr [esp], ah // 881c24 | mov byte ptr [esp], bl // e8???????? | // d2cd | ror ch, cl $sequence_4 = { 5e e8???????? 66ffc6 e8???????? } // n = 4, score = 100 // 5e | pop esi // e8???????? | // 66ffc6 | inc si // e8???????? | $sequence_5 = { 662dca11 e8???????? 881438 e8???????? } // n = 4, score = 100 // 662dca11 | sub ax, 0x11ca // e8???????? | // 881438 | mov byte ptr [eax + edi], dl // e8???????? | $sequence_6 = { e8???????? 8d8df8feffff 51 8d95f4fdffff 52 e8???????? } // n = 6, score = 100 // e8???????? | // 8d8df8feffff | lea ecx, [ebp - 0x108] // 51 | push ecx // 8d95f4fdffff | lea edx, [ebp - 0x20c] // 52 | push edx // e8???????? | $sequence_7 = { 28d8 882424 e9???????? 66894500 66897c240c 882c24 } // n = 6, score = 100 // 28d8 | sub al, bl // 882424 | mov byte ptr [esp], ah // e9???????? | // 66894500 | mov word ptr [ebp], ax // 66897c240c | mov word ptr [esp + 0xc], di // 882c24 | mov byte ptr [esp], ch $sequence_8 = { 8d9dd8fbffff 8bc6 e8???????? 8b4df4 64890d00000000 } // n = 5, score = 100 // 8d9dd8fbffff | lea ebx, [ebp - 0x428] // 8bc6 | mov eax, esi // e8???????? | // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 64890d00000000 | mov dword ptr fs:[0], ecx $sequence_9 = { e8???????? 8bd0 8d642400 668b08 83c002 } // n = 5, score = 100 // e8???????? | // 8bd0 | mov edx, eax // 8d642400 | lea esp, [esp] // 668b08 | mov cx, word ptr [eax] // 83c002 | add eax, 2 $sequence_10 = { 7718 83f908 7205 8b4500 eb02 8bc5 } // n = 6, score = 100 // 7718 | ja 0x1a // 83f908 | cmp ecx, 8 // 7205 | jb 7 // 8b4500 | mov eax, dword ptr [ebp] // eb02 | jmp 4 // 8bc5 | mov eax, ebp $sequence_11 = { 898dd8fdffff 8d8dd8fdffff c1e009 51 50 } // n = 5, score = 100 // 898dd8fdffff | mov dword ptr [ebp - 0x228], ecx // 8d8dd8fdffff | lea ecx, [ebp - 0x228] // c1e009 | shl eax, 9 // 51 | push ecx // 50 | push eax $sequence_12 = { 50 ffd7 85c0 7436 68???????? 8d8de4feffff 51 } // n = 7, score = 100 // 50 | push eax // ffd7 | call edi // 85c0 | test eax, eax // 7436 | je 0x38 // 68???????? | // 8d8de4feffff | lea ecx, [ebp - 0x11c] // 51 | push ecx $sequence_13 = { 8b4da2 8b45aa 8b55a6 8945f0 894de8 } // n = 5, score = 100 // 8b4da2 | mov ecx, dword ptr [ebp - 0x5e] // 8b45aa | mov eax, dword ptr [ebp - 0x56] // 8b55a6 | mov edx, dword ptr [ebp - 0x5a] // 8945f0 | mov dword ptr [ebp - 0x10], eax // 894de8 | mov dword ptr [ebp - 0x18], ecx $sequence_14 = { 50 e8???????? 8b4dfc 83c404 33cd 5b } // n = 6, score = 100 // 50 | push eax // e8???????? | // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 83c404 | add esp, 4 // 33cd | xor ecx, ebp // 5b | pop ebx $sequence_15 = { 760a d035???????? d6 d487 } // n = 4, score = 100 // 760a | jbe 0xc // d035???????? | // d6 | salc // d487 | aam 0x87 $sequence_16 = { 55 53 e8???????? 57 68???????? 8d742438 e8???????? } // n = 7, score = 100 // 55 | push ebp // 53 | push ebx // e8???????? | // 57 | push edi // 68???????? | // 8d742438 | lea esi, [esp + 0x38] // e8???????? | $sequence_17 = { 872d???????? 0fc1c2 89e2 66d3c9 66d3c0 } // n = 5, score = 100 // 872d???????? | // 0fc1c2 | xadd edx, eax // 89e2 | mov edx, esp // 66d3c9 | ror cx, cl // 66d3c0 | rol ax, cl $sequence_18 = { 33c0 3bc5 7f2e 7c04 } // n = 4, score = 100 // 33c0 | xor eax, eax // 3bc5 | cmp eax, ebp // 7f2e | jg 0x30 // 7c04 | jl 6 $sequence_19 = { e9???????? 46 60 9c 9c 8d642428 } // n = 6, score = 100 // e9???????? | // 46 | inc esi // 60 | pushal // 9c | pushfd // 9c | pushfd // 8d642428 | lea esp, [esp + 0x28] $sequence_20 = { 894c2430 e9???????? 9c 9c 66894504 57 } // n = 6, score = 100 // 894c2430 | mov dword ptr [esp + 0x30], ecx // e9???????? | // 9c | pushfd // 9c | pushfd // 66894504 | mov word ptr [ebp + 4], ax // 57 | push edi $sequence_21 = { 6a01 56 e8???????? 53 e8???????? 56 } // n = 6, score = 100 // 6a01 | push 1 // 56 | push esi // e8???????? | // 53 | push ebx // e8???????? | // 56 | push esi $sequence_22 = { 51 ff15???????? 85c0 0f8565fdffff ff0d???????? } // n = 5, score = 100 // 51 | push ecx // ff15???????? | // 85c0 | test eax, eax // 0f8565fdffff | jne 0xfffffd6b // ff0d???????? | $sequence_23 = { 6a01 50 89442430 89442434 89442438 8944243c ff15???????? } // n = 7, score = 100 // 6a01 | push 1 // 50 | push eax // 89442430 | mov dword ptr [esp + 0x30], eax // 89442434 | mov dword ptr [esp + 0x34], eax // 89442438 | mov dword ptr [esp + 0x38], eax // 8944243c | mov dword ptr [esp + 0x3c], eax // ff15???????? | condition: 7 of them and filesize < 10817536 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
