SYMBOLCOMMON_NAMEaka. SYNONYMS
win.matsnu (Back to overview)

Matsnu

There is no description at this point.

References
2015-05-15Check PointStanislav Skuratovich
@techreport{skuratovich:20150515:matsnu:850c41f, author = {Stanislav Skuratovich}, title = {{MATSNU}}, date = {2015-05-15}, institution = {Check Point}, url = {https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf}, language = {English}, urldate = {2020-01-05} } MATSNU
Matsnu
Yara Rules
[TLP:WHITE] win_matsnu_auto (20211008 | Detects win.matsnu.)
rule win_matsnu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.matsnu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7419 8b85f4fdffff 8985e8fdffff 8b7d0c 8b85f0fdffff }
            // n = 6, score = 700
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   8b85f4fdffff         | mov                 eax, dword ptr [ebp - 0x20c]
            //   8985e8fdffff         | mov                 dword ptr [ebp - 0x218], eax
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8b85f0fdffff         | mov                 eax, dword ptr [ebp - 0x210]

        $sequence_1 = { c745e000000000 c745e400000000 c745e800000000 c745ec00000000 c645f000 c645f100 }
            // n = 6, score = 700
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   c645f000             | mov                 byte ptr [ebp - 0x10], 0
            //   c645f100             | mov                 byte ptr [ebp - 0xf], 0

        $sequence_2 = { c20c00 55 89e5 83ec04 c745fc00000000 }
            // n = 5, score = 700
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec04               | sub                 esp, 4
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_3 = { 750f c785a4fbffff02000000 e9???????? 8985bcfbffff 83bdb0fbffff01 }
            // n = 5, score = 700
            //   750f                 | jne                 0x11
            //   c785a4fbffff02000000     | mov    dword ptr [ebp - 0x45c], 2
            //   e9????????           |                     
            //   8985bcfbffff         | mov                 dword ptr [ebp - 0x444], eax
            //   83bdb0fbffff01       | cmp                 dword ptr [ebp - 0x450], 1

        $sequence_4 = { c785eefbffff7d2e646c c685f2fbffff6c c685f3fbffff00 c745f400000000 }
            // n = 4, score = 700
            //   c785eefbffff7d2e646c     | mov    dword ptr [ebp - 0x412], 0x6c642e7d
            //   c685f2fbffff6c       | mov                 byte ptr [ebp - 0x40e], 0x6c
            //   c685f3fbffff00       | mov                 byte ptr [ebp - 0x40d], 0
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0

        $sequence_5 = { 8b4dea b801000000 d3e0 0945e6 8b4db8 81e1ff000000 41 }
            // n = 7, score = 700
            //   8b4dea               | mov                 ecx, dword ptr [ebp - 0x16]
            //   b801000000           | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   0945e6               | or                  dword ptr [ebp - 0x1a], eax
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]
            //   81e1ff000000         | and                 ecx, 0xff
            //   41                   | inc                 ecx

        $sequence_6 = { 8b4dc2 b801000000 d3e0 3b45c6 7509 837dc20c }
            // n = 6, score = 700
            //   8b4dc2               | mov                 ecx, dword ptr [ebp - 0x3e]
            //   b801000000           | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   3b45c6               | cmp                 eax, dword ptr [ebp - 0x3a]
            //   7509                 | jne                 0xb
            //   837dc20c             | cmp                 dword ptr [ebp - 0x3e], 0xc

        $sequence_7 = { 0c8b 45 0cd1 e040 50 }
            // n = 5, score = 700
            //   0c8b                 | or                  al, 0x8b
            //   45                   | inc                 ebp
            //   0cd1                 | or                  al, 0xd1
            //   e040                 | loopne              0x42
            //   50                   | push                eax

        $sequence_8 = { 8b45fc c9 c20400 55 89e5 83ec4c c745b400000000 }
            // n = 7, score = 700
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec4c               | sub                 esp, 0x4c
            //   c745b400000000       | mov                 dword ptr [ebp - 0x4c], 0

        $sequence_9 = { e9???????? 817de6ff000000 7f0d 8b7dde 037d10 }
            // n = 5, score = 700
            //   e9????????           |                     
            //   817de6ff000000       | cmp                 dword ptr [ebp - 0x1a], 0xff
            //   7f0d                 | jg                  0xf
            //   8b7dde               | mov                 edi, dword ptr [ebp - 0x22]
            //   037d10               | add                 edi, dword ptr [ebp + 0x10]

    condition:
        7 of them and filesize < 606992
}
Download all Yara Rules