Actor(s): TA410
There is no description at this point.
rule win_lookback_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.lookback." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3bef 7511 8b4810 3bcf 0f8493010000 } // n = 5, score = 200 // 3bef | cmp ebp, edi // 7511 | jne 0x13 // 8b4810 | mov ecx, dword ptr [eax + 0x10] // 3bcf | cmp ecx, edi // 0f8493010000 | je 0x199 $sequence_1 = { 817c240c1c010000 7515 8bbc2438020000 b947000000 8db42414010000 f3a5 5f } // n = 7, score = 200 // 817c240c1c010000 | cmp dword ptr [esp + 0xc], 0x11c // 7515 | jne 0x17 // 8bbc2438020000 | mov edi, dword ptr [esp + 0x238] // b947000000 | mov ecx, 0x47 // 8db42414010000 | lea esi, dword ptr [esp + 0x114] // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 5f | pop edi $sequence_2 = { 8bc8 6a01 83e103 6a02 f3a4 ff15???????? 53 } // n = 7, score = 200 // 8bc8 | mov ecx, eax // 6a01 | push 1 // 83e103 | and ecx, 3 // 6a02 | push 2 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // ff15???????? | // 53 | push ebx $sequence_3 = { 50 ff15???????? 893d???????? 8b0d???????? } // n = 4, score = 200 // 50 | push eax // ff15???????? | // 893d???????? | // 8b0d???????? | $sequence_4 = { 8a1c38 33ca 8a542410 8a8c0c20010000 } // n = 4, score = 200 // 8a1c38 | mov bl, byte ptr [eax + edi] // 33ca | xor ecx, edx // 8a542410 | mov dl, byte ptr [esp + 0x10] // 8a8c0c20010000 | mov cl, byte ptr [esp + ecx + 0x120] $sequence_5 = { 56 32d2 8a8c041c010000 8bf0 } // n = 4, score = 200 // 56 | push esi // 32d2 | xor dl, dl // 8a8c041c010000 | mov cl, byte ptr [esp + eax + 0x11c] // 8bf0 | mov esi, eax $sequence_6 = { 8bc8 6a01 83e103 6a02 f3a4 ff15???????? } // n = 6, score = 200 // 8bc8 | mov ecx, eax // 6a01 | push 1 // 83e103 | and ecx, 3 // 6a02 | push 2 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // ff15???????? | $sequence_7 = { 3bc7 744a 83f8ff 7445 8b0d???????? 6aff } // n = 6, score = 200 // 3bc7 | cmp eax, edi // 744a | je 0x4c // 83f8ff | cmp eax, -1 // 7445 | je 0x47 // 8b0d???????? | // 6aff | push -1 $sequence_8 = { 7477 a1???????? 50 ff15???????? } // n = 4, score = 200 // 7477 | je 0x79 // a1???????? | // 50 | push eax // ff15???????? | $sequence_9 = { 8bbc2434020000 83c9ff f2ae f7d1 } // n = 4, score = 200 // 8bbc2434020000 | mov edi, dword ptr [esp + 0x234] // 83c9ff | or ecx, 0xffffffff // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx condition: 7 of them and filesize < 131072 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
