Actor(s): Kimsuky
There is no description at this point.
rule win_mechanical_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c8d9c2490020000 488d8c24a5020000 33d2 498903 } // n = 4, score = 200 // 4c8d9c2490020000 | jne 0xfffffff2 // 488d8c24a5020000 | inc ecx // 33d2 | mov byte ptr [ebx], 0 // 498903 | dec esp $sequence_1 = { 84c0 0f8409000000 4983c101 4d85db 75e7 488d942480010000 41ba0b000000 } // n = 7, score = 200 // 84c0 | bts edi, 0x12 // 0f8409000000 | jmp 0x46 // 4983c101 | dec eax // 4d85db | lea edx, [0xd2d9] // 75e7 | dec eax // 488d942480010000 | add edx, 1 // 41ba0b000000 | dec ecx $sequence_2 = { 0f86df020000 8d9b00000000 8a8414243d0000 33c9 3c41 7212 } // n = 6, score = 200 // 0f86df020000 | test al, al // 8d9b00000000 | je 0x11 // 8a8414243d0000 | dec ecx // 33c9 | add ecx, 1 // 3c41 | dec ebp // 7212 | test ebx, ebx $sequence_3 = { c68414243d00003f eb12 c68414243d00002e eb08 c68414243d00002c 3bcd 7408 } // n = 7, score = 200 // c68414243d00003f | inc ecx // eb12 | mov edx, 0xb // c68414243d00002e | dec ecx // eb08 | add eax, 1 // c68414243d00002c | dec eax // 3bcd | test ecx, ecx // 7408 | jne 0xffffffed $sequence_4 = { e8???????? 85c0 750a 4883c30a 0fbaef12 eb3c 488d15d9d20000 } // n = 7, score = 200 // e8???????? | // 85c0 | dec esp // 750a | lea ebx, [0x1f635] // 4883c30a | dec ecx // 0fbaef12 | mov ecx, esp // eb3c | inc ecx // 488d15d9d20000 | mov eax, 6 $sequence_5 = { 0f8766010000 4898 0fb68428a4110100 8b8c85d0100100 } // n = 4, score = 200 // 0f8766010000 | test eax, eax // 4898 | jne 0xe // 0fb68428a4110100 | dec eax // 8b8c85d0100100 | add ebx, 0xa $sequence_6 = { 41b806000000 4c8d0d38f40000 4c3948f0 740c } // n = 4, score = 200 // 41b806000000 | lea ecx, [esp + 0x2a5] // 4c8d0d38f40000 | xor edx, edx // 4c3948f0 | dec ecx // 740c | mov dword ptr [ebx], eax $sequence_7 = { e9???????? c68414400300003b e9???????? c68414400300002b e9???????? c68414400300003e } // n = 6, score = 200 // e9???????? | // c68414400300003b | jbe 0x2e5 // e9???????? | // c68414400300002b | lea ebx, [ebx] // e9???????? | // c68414400300003e | mov al, byte ptr [esp + edx + 0x3d24] $sequence_8 = { c68414584a000075 e9???????? c68414584a00006e e9???????? c68414584a00002d } // n = 5, score = 200 // c68414584a000075 | dec eax // e9???????? | // c68414584a00006e | lea edx, [esp + 0x1f40] // e9???????? | // c68414584a00002d | jmp 0x28 $sequence_9 = { 488905???????? e8???????? 4c8d1d35f60100 498bcc } // n = 4, score = 200 // 488905???????? | // e8???????? | // 4c8d1d35f60100 | lea ebx, [esp + 0x290] // 498bcc | dec eax $sequence_10 = { c68414741000006c e9???????? c684147410000064 e9???????? c684147410000070 e9???????? } // n = 6, score = 200 // c68414741000006c | inc ebp // e9???????? | // c684147410000064 | test eax, eax // e9???????? | // c684147410000070 | je 0x1de // e9???????? | $sequence_11 = { c684143c43000025 e9???????? c684143c4300002a e9???????? c684143c43000026 } // n = 5, score = 200 // c684143c43000025 | jne 0xfffffff0 // e9???????? | // c684143c4300002a | dec eax // e9???????? | // c684143c43000026 | lea edx, [esp + 0x180] $sequence_12 = { eb26 c684141c3b00002f eb1c c684141c3b00003f eb12 } // n = 5, score = 200 // eb26 | ja 0x16c // c684141c3b00002f | dec eax // eb1c | cwde // c684141c3b00003f | movzx eax, byte ptr [eax + ebp + 0x111a4] // eb12 | mov ecx, dword ptr [ebp + eax*4 + 0x110d0] $sequence_13 = { 4883e901 4188440bde 75f0 41c60300 } // n = 4, score = 200 // 4883e901 | dec eax // 4188440bde | sub ecx, 1 // 75f0 | inc ecx // 41c60300 | mov byte ptr [ebx + ecx - 0x22], al $sequence_14 = { 4883c201 4983e901 0f853ffeffff 488d942490130000 488bcf ff15???????? } // n = 6, score = 200 // 4883c201 | dec esp // 4983e901 | lea ecx, [0xf438] // 0f853ffeffff | dec esp // 488d942490130000 | cmp dword ptr [eax - 0x10], ecx // 488bcf | je 0x12 // ff15???????? | $sequence_15 = { c68414203c00003a e9???????? c68414203c000023 e9???????? c68414203c000021 e9???????? c68414203c000025 } // n = 7, score = 200 // c68414203c00003a | mov byte ptr [esp + edx + 0x3b1c], 0x2f // e9???????? | // c68414203c000023 | jmp 0x26 // e9???????? | // c68414203c000021 | mov byte ptr [esp + edx + 0x3b1c], 0x3f // e9???????? | // c68414203c000025 | jmp 0x26 condition: 7 of them and filesize < 434176 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY