Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
rule win_medusa_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 387cffff ff06 0e 057d2d0100 0411 0d209444bb } // n = 6, score = 100 // 387cffff | cmp byte ptr [edi + edi*8 - 1], bh // ff06 | inc dword ptr [esi] // 0e | push cs // 057d2d0100 | add eax, 0x12d7d // 0411 | add al, 0x11 // 0d209444bb | or eax, 0xbb449420 $sequence_1 = { 8e9720009a63 a1???????? 7c30 5a 20e4 } // n = 5, score = 100 // 8e9720009a63 | mov ss, word ptr [edi + 0x639a0020] // a1???????? | // 7c30 | jl 0x32 // 5a | pop edx // 20e4 | and ah, ah $sequence_2 = { ff06 0e 057d2d0100 0411 0d209444bb } // n = 5, score = 100 // ff06 | inc dword ptr [esi] // 0e | push cs // 057d2d0100 | add eax, 0x12d7d // 0411 | add al, 0x11 // 0d209444bb | or eax, 0xbb449420 $sequence_3 = { 0820 7ddd 5a 8b25???????? } // n = 4, score = 100 // 0820 | or byte ptr [eax], ah // 7ddd | jge 0xffffffdf // 5a | pop edx // 8b25???????? | $sequence_4 = { 057d2d0100 0411 0d209444bb be5a20826e 4d 96 } // n = 6, score = 100 // 057d2d0100 | add eax, 0x12d7d // 0411 | add al, 0x11 // 0d209444bb | or eax, 0xbb449420 // be5a20826e | mov esi, 0x6e82205a // 4d | dec ebp // 96 | xchg eax, esi $sequence_5 = { 0e 04de 00443701 0000 } // n = 4, score = 100 // 0e | push cs // 04de | add al, 0xde // 00443701 | add byte ptr [edi + esi + 1], al // 0000 | add byte ptr [eax], al $sequence_6 = { 5a 20af8f57e661 387cffff ff06 0e 057d2d0100 0411 } // n = 7, score = 100 // 5a | pop edx // 20af8f57e661 | and byte ptr [edi + 0x61e6578f], ch // 387cffff | cmp byte ptr [edi + edi*8 - 1], bh // ff06 | inc dword ptr [esi] // 0e | push cs // 057d2d0100 | add eax, 0x12d7d // 0411 | add al, 0x11 $sequence_7 = { 20fc 36f5 ec 252b0620fc d6 bb61252611 0420 } // n = 7, score = 100 // 20fc | and ah, bh // 36f5 | cmc // ec | in al, dx // 252b0620fc | and eax, 0xfc20062b // d6 | salc // bb61252611 | mov ebx, 0x11262561 // 0420 | add al, 0x20 $sequence_8 = { 15d4280c00 002b 2058e6 a2???????? 002b } // n = 5, score = 100 // 15d4280c00 | adc eax, 0xc28d4 // 002b | add byte ptr [ebx], ch // 2058e6 | and byte ptr [eax - 0x1a], bl // a2???????? | // 002b | add byte ptr [ebx], ch $sequence_9 = { 0000 010c20 46 4c 15d4280c00 002b 2058e6 } // n = 7, score = 100 // 0000 | add byte ptr [eax], al // 010c20 | add dword ptr [eax], ecx // 46 | inc esi // 4c | dec esp // 15d4280c00 | adc eax, 0xc28d4 // 002b | add byte ptr [ebx], ch // 2058e6 | and byte ptr [eax - 0x1a], bl condition: 7 of them and filesize < 443392 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY