There is no description at this point.
rule win_matsnu_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.matsnu." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4dea b801000000 d3e0 0945e6 8b4db8 } // n = 5, score = 700 // 8b4dea | mov ecx, dword ptr [ebp - 0x16] // b801000000 | mov eax, 1 // d3e0 | shl eax, cl // 0945e6 | or dword ptr [ebp - 0x1a], eax // 8b4db8 | mov ecx, dword ptr [ebp - 0x48] $sequence_1 = { 50 f8 7201 c3 } // n = 4, score = 700 // 50 | push eax // f8 | clc // 7201 | jb 3 // c3 | ret $sequence_2 = { ebdb c745de00000000 8b45de 3b45ba 0f83eb010000 8b45c6 } // n = 6, score = 700 // ebdb | jmp 0xffffffdd // c745de00000000 | mov dword ptr [ebp - 0x22], 0 // 8b45de | mov eax, dword ptr [ebp - 0x22] // 3b45ba | cmp eax, dword ptr [ebp - 0x46] // 0f83eb010000 | jae 0x1f1 // 8b45c6 | mov eax, dword ptr [ebp - 0x3a] $sequence_3 = { 817de6ff000000 7f0d 8b7dde 037d10 } // n = 4, score = 700 // 817de6ff000000 | cmp dword ptr [ebp - 0x1a], 0xff // 7f0d | jg 0xf // 8b7dde | mov edi, dword ptr [ebp - 0x22] // 037d10 | add edi, dword ptr [ebp + 0x10] $sequence_4 = { 2945ce ebd3 c745d600000000 c745da00010000 } // n = 4, score = 700 // 2945ce | sub dword ptr [ebp - 0x32], eax // ebd3 | jmp 0xffffffd5 // c745d600000000 | mov dword ptr [ebp - 0x2a], 0 // c745da00010000 | mov dword ptr [ebp - 0x26], 0x100 $sequence_5 = { 80e1f0 c0e904 08c8 8d55bc 01c2 8a02 884701 } // n = 7, score = 700 // 80e1f0 | and cl, 0xf0 // c0e904 | shr cl, 4 // 08c8 | or al, cl // 8d55bc | lea edx, [ebp - 0x44] // 01c2 | add edx, eax // 8a02 | mov al, byte ptr [edx] // 884701 | mov byte ptr [edi + 1], al $sequence_6 = { 837d1002 7223 31c0 8a4601 240f c0e002 31c9 } // n = 7, score = 700 // 837d1002 | cmp dword ptr [ebp + 0x10], 2 // 7223 | jb 0x25 // 31c0 | xor eax, eax // 8a4601 | mov al, byte ptr [esi + 1] // 240f | and al, 0xf // c0e002 | shl al, 2 // 31c9 | xor ecx, ecx $sequence_7 = { 7201 c3 ff6a00 6a00 6a03 6a00 6a00 } // n = 7, score = 700 // 7201 | jb 3 // c3 | ret // ff6a00 | ljmp [edx] // 6a00 | push 0 // 6a03 | push 3 // 6a00 | push 0 // 6a00 | push 0 $sequence_8 = { 31c0 eb70 ff75fc ff75f8 } // n = 4, score = 700 // 31c0 | xor eax, eax // eb70 | jmp 0x72 // ff75fc | push dword ptr [ebp - 4] // ff75f8 | push dword ptr [ebp - 8] $sequence_9 = { 8b4db8 81e1ff000000 01c8 8945ee 8b45ee c1f803 } // n = 6, score = 700 // 8b4db8 | mov ecx, dword ptr [ebp - 0x48] // 81e1ff000000 | and ecx, 0xff // 01c8 | add eax, ecx // 8945ee | mov dword ptr [ebp - 0x12], eax // 8b45ee | mov eax, dword ptr [ebp - 0x12] // c1f803 | sar eax, 3 condition: 7 of them and filesize < 606992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY