There is no description at this point.
rule win_lockbit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 88842475030000 e8???????? 6a73 8d8c246e030000 88842476030000 e8???????? 6a6b } // n = 7, score = 100 // 88842475030000 | mov byte ptr [esp + 0x375], al // e8???????? | // 6a73 | push 0x73 // 8d8c246e030000 | lea ecx, [esp + 0x36e] // 88842476030000 | mov byte ptr [esp + 0x376], al // e8???????? | // 6a6b | push 0x6b $sequence_1 = { c78550fcffff6f007700 c78554fcffff73002e00 c78558fcffff6f006c00 c7855cfcffff64000000 c78578fdffff61007000 c7857cfdffff70006400 c78580fdffff61007400 } // n = 7, score = 100 // c78550fcffff6f007700 | mov dword ptr [ebp - 0x3b0], 0x77006f // c78554fcffff73002e00 | mov dword ptr [ebp - 0x3ac], 0x2e0073 // c78558fcffff6f006c00 | mov dword ptr [ebp - 0x3a8], 0x6c006f // c7855cfcffff64000000 | mov dword ptr [ebp - 0x3a4], 0x64 // c78578fdffff61007000 | mov dword ptr [ebp - 0x288], 0x700061 // c7857cfdffff70006400 | mov dword ptr [ebp - 0x284], 0x640070 // c78580fdffff61007400 | mov dword ptr [ebp - 0x280], 0x740061 $sequence_2 = { 33d2 8ac8 bf10000000 2bfa 85d2 0f4efa 80e10f } // n = 7, score = 100 // 33d2 | xor edx, edx // 8ac8 | mov cl, al // bf10000000 | mov edi, 0x10 // 2bfa | sub edi, edx // 85d2 | test edx, edx // 0f4efa | cmovle edi, edx // 80e10f | and cl, 0xf $sequence_3 = { c78508ffffff73007100 c7850cffffff76002000 c78510ffffff71005300 66898524ffffff 0fb705???????? 6683f053 66898526ffffff } // n = 7, score = 100 // c78508ffffff73007100 | mov dword ptr [ebp - 0xf8], 0x710073 // c7850cffffff76002000 | mov dword ptr [ebp - 0xf4], 0x200076 // c78510ffffff71005300 | mov dword ptr [ebp - 0xf0], 0x530071 // 66898524ffffff | mov word ptr [ebp - 0xdc], ax // 0fb705???????? | // 6683f053 | xor ax, 0x53 // 66898526ffffff | mov word ptr [ebp - 0xda], ax $sequence_4 = { c644240b20 32842452060000 88842453060000 8a44240b 888c2454060000 8a8c2452060000 32c1 } // n = 7, score = 100 // c644240b20 | mov byte ptr [esp + 0xb], 0x20 // 32842452060000 | xor al, byte ptr [esp + 0x652] // 88842453060000 | mov byte ptr [esp + 0x653], al // 8a44240b | mov al, byte ptr [esp + 0xb] // 888c2454060000 | mov byte ptr [esp + 0x654], cl // 8a8c2452060000 | mov cl, byte ptr [esp + 0x652] // 32c1 | xor al, cl $sequence_5 = { 0fb705???????? 6683f038 668945de 0fb705???????? 6683f038 668945e0 } // n = 6, score = 100 // 0fb705???????? | // 6683f038 | xor ax, 0x38 // 668945de | mov word ptr [ebp - 0x22], ax // 0fb705???????? | // 6683f038 | xor ax, 0x38 // 668945e0 | mov word ptr [ebp - 0x20], ax $sequence_6 = { 0fb705???????? 6683f053 6689458e 0fb705???????? 6683f053 66894590 } // n = 6, score = 100 // 0fb705???????? | // 6683f053 | xor ax, 0x53 // 6689458e | mov word ptr [ebp - 0x72], ax // 0fb705???????? | // 6683f053 | xor ax, 0x53 // 66894590 | mov word ptr [ebp - 0x70], ax $sequence_7 = { 895df4 e8???????? 8d45d8 50 e8???????? 6a00 6a00 } // n = 7, score = 100 // 895df4 | mov dword ptr [ebp - 0xc], ebx // e8???????? | // 8d45d8 | lea eax, [ebp - 0x28] // 50 | push eax // e8???????? | // 6a00 | push 0 // 6a00 | push 0 $sequence_8 = { 68???????? e8???????? 83c414 eb14 6a10 8d442444 50 } // n = 7, score = 100 // 68???????? | // e8???????? | // 83c414 | add esp, 0x14 // eb14 | jmp 0x16 // 6a10 | push 0x10 // 8d442444 | lea eax, [esp + 0x44] // 50 | push eax $sequence_9 = { 88842479060000 8a842478060000 32c8 c68424e505000000 32e8 888c247a060000 32d0 } // n = 7, score = 100 // 88842479060000 | mov byte ptr [esp + 0x679], al // 8a842478060000 | mov al, byte ptr [esp + 0x678] // 32c8 | xor cl, al // c68424e505000000 | mov byte ptr [esp + 0x5e5], 0 // 32e8 | xor ch, al // 888c247a060000 | mov byte ptr [esp + 0x67a], cl // 32d0 | xor dl, al condition: 7 of them and filesize < 337568 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY