There is no description at this point.
There are currently no references.
rule win_madmax_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.madmax." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { d0cd 99 86d6 4c ae 2f 4e } // n = 7, score = 100 // d0cd | ror ch, 1 // 99 | cdq // 86d6 | xchg dh, dl // 4c | dec esp // ae | scasb al, byte ptr es:[edi] // 2f | das // 4e | dec esi $sequence_1 = { b80c32e173 8ac5 08679e fb 59 8050cb80 baef812a0a } // n = 7, score = 100 // b80c32e173 | mov eax, 0x73e1320c // 8ac5 | mov al, ch // 08679e | or byte ptr [edi - 0x62], ah // fb | sti // 59 | pop ecx // 8050cb80 | adc byte ptr [eax - 0x35], 0x80 // baef812a0a | mov edx, 0xa2a81ef $sequence_2 = { e07d d8cc 6a55 60 25a237f301 4a 4c } // n = 7, score = 100 // e07d | loopne 0x7f // d8cc | fmul st(4) // 6a55 | push 0x55 // 60 | pushal // 25a237f301 | and eax, 0x1f337a2 // 4a | dec edx // 4c | dec esp $sequence_3 = { 8d8dd0feffff e8???????? 8db396000000 6a3b 9c f605????????d6 0f851c010000 } // n = 7, score = 100 // 8d8dd0feffff | lea ecx, [ebp - 0x130] // e8???????? | // 8db396000000 | lea esi, [ebx + 0x96] // 6a3b | push 0x3b // 9c | pushfd // f605????????d6 | // 0f851c010000 | jne 0x122 $sequence_4 = { 93 9f 856d67 664c 8657b6 49 152b9be0c2 } // n = 7, score = 100 // 93 | xchg eax, ebx // 9f | lahf // 856d67 | test dword ptr [ebp + 0x67], ebp // 664c | dec sp // 8657b6 | xchg byte ptr [edi - 0x4a], dl // 49 | dec ecx // 152b9be0c2 | adc eax, 0xc2e09b2b $sequence_5 = { d9dd 095527 17 44 4b 60 1f } // n = 7, score = 100 // d9dd | fstpnce st(5), st(0) // 095527 | or dword ptr [ebp + 0x27], edx // 17 | pop ss // 44 | inc esp // 4b | dec ebx // 60 | pushal // 1f | pop ds $sequence_6 = { f723 56 c8d95bcc 0e 64a04d98f5db 6e 051e079cc8 } // n = 7, score = 100 // f723 | mul dword ptr [ebx] // 56 | push esi // c8d95bcc | enter 0x5bd9, -0x34 // 0e | push cs // 64a04d98f5db | mov al, byte ptr fs:[0xdbf5984d] // 6e | outsb dx, byte ptr [esi] // 051e079cc8 | add eax, 0xc89c071e $sequence_7 = { ad 7ea5 6abd 650e 9c 3528e563a7 6c } // n = 7, score = 100 // ad | lodsd eax, dword ptr [esi] // 7ea5 | jle 0xffffffa7 // 6abd | push -0x43 // 650e | push cs // 9c | pushfd // 3528e563a7 | xor eax, 0xa763e528 // 6c | insb byte ptr es:[edi], dx $sequence_8 = { f605????????e2 0f851d010000 73e7 f22486 85e6 210a e788 } // n = 7, score = 100 // f605????????e2 | // 0f851d010000 | jne 0x123 // 73e7 | jae 0xffffffe9 // f22486 | and al, 0x86 // 85e6 | test esi, esp // 210a | and dword ptr [edx], ecx // e788 | out 0x88, eax $sequence_9 = { f605????????a5 7531 df2e 8b1b f8 b36a 7928 } // n = 7, score = 100 // f605????????a5 | // 7531 | jne 0x33 // df2e | fild qword ptr [esi] // 8b1b | mov ebx, dword ptr [ebx] // f8 | clc // b36a | mov bl, 0x6a // 7928 | jns 0x2a condition: 7 of them and filesize < 3227648 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY