Specialized PoisonIvy Sideloader.
rule win_maudi_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.maudi." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 51 51 51 59 59 59 } // n = 6, score = 400 // 51 | push ecx // 51 | push ecx // 51 | push ecx // 59 | pop ecx // 59 | pop ecx // 59 | pop ecx $sequence_1 = { 5d a3???????? 6804010000 56 68???????? } // n = 5, score = 400 // 5d | pop ebp // a3???????? | // 6804010000 | push 0x104 // 56 | push esi // 68???????? | $sequence_2 = { 89e0 50 68???????? 87d1 87ca 51 51 } // n = 7, score = 400 // 89e0 | mov eax, esp // 50 | push eax // 68???????? | // 87d1 | xchg ecx, edx // 87ca | xchg edx, ecx // 51 | push ecx // 51 | push ecx $sequence_3 = { 8b80a4000000 83f806 7546 68???????? 87d1 } // n = 5, score = 400 // 8b80a4000000 | mov eax, dword ptr [eax + 0xa4] // 83f806 | cmp eax, 6 // 7546 | jne 0x48 // 68???????? | // 87d1 | xchg ecx, edx $sequence_4 = { 59 ff25???????? 83c408 85c0 0f8581010000 8dbdf8fdffff } // n = 6, score = 400 // 59 | pop ecx // ff25???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax // 0f8581010000 | jne 0x187 // 8dbdf8fdffff | lea edi, [ebp - 0x208] $sequence_5 = { 83f806 7548 68???????? 87d1 } // n = 4, score = 400 // 83f806 | cmp eax, 6 // 7548 | jne 0x4a // 68???????? | // 87d1 | xchg ecx, edx $sequence_6 = { 89e5 60 6a3c 68???????? 68???????? 87d1 } // n = 6, score = 400 // 89e5 | mov ebp, esp // 60 | pushal // 6a3c | push 0x3c // 68???????? | // 68???????? | // 87d1 | xchg ecx, edx $sequence_7 = { 5d 89e0 50 68???????? 87d1 } // n = 5, score = 400 // 5d | pop ebp // 89e0 | mov eax, esp // 50 | push eax // 68???????? | // 87d1 | xchg ecx, edx $sequence_8 = { 89e5 5d 8b542404 80740aff32 } // n = 4, score = 400 // 89e5 | mov ebp, esp // 5d | pop ebp // 8b542404 | mov edx, dword ptr [esp + 4] // 80740aff32 | xor byte ptr [edx + ecx - 1], 0x32 $sequence_9 = { 29d2 52 52 52 } // n = 4, score = 400 // 29d2 | sub edx, edx // 52 | push edx // 52 | push edx // 52 | push edx condition: 7 of them and filesize < 40960 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY