There is no description at this point.
rule win_microcin_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7e18 80bc35a8feffff3a 741f 8d85a8feffff 46 50 ffd3 } // n = 7, score = 400 // 7e18 | jle 0x1a // 80bc35a8feffff3a | cmp byte ptr [ebp + esi - 0x158], 0x3a // 741f | je 0x21 // 8d85a8feffff | lea eax, [ebp - 0x158] // 46 | inc esi // 50 | push eax // ffd3 | call ebx $sequence_1 = { 488bc6 488b8df0040000 4833cc e8???????? 4881c400060000 } // n = 5, score = 400 // 488bc6 | mov dword ptr [esi + 0x14], 1 // 488b8df0040000 | dec ebp // 4833cc | lea eax, [esi + 0x80] // e8???????? | // 4881c400060000 | inc ecx $sequence_2 = { 56 ff15???????? 85c0 0f45f7 } // n = 4, score = 400 // 56 | push esi // ff15???????? | // 85c0 | test eax, eax // 0f45f7 | cmovne esi, edi $sequence_3 = { 50 ffd3 85c0 7e18 80bc35a8feffff3a } // n = 5, score = 400 // 50 | push eax // ffd3 | call ebx // 85c0 | test eax, eax // 7e18 | jle 0x1a // 80bc35a8feffff3a | cmp byte ptr [ebp + esi - 0x158], 0x3a $sequence_4 = { 4863c8 c6840d8002000045 488d8d80020000 ff15???????? 4863c8 c6840d8002000034 } // n = 6, score = 400 // 4863c8 | mov dword ptr [eax], eax // c6840d8002000045 | dec ecx // 488d8d80020000 | mov dword ptr [esi + 0x88], esi // ff15???????? | // 4863c8 | dec eax // c6840d8002000034 | mov eax, esi $sequence_5 = { 6805100000 68ffff0000 56 8b35???????? ffd6 } // n = 5, score = 400 // 6805100000 | push 0x1005 // 68ffff0000 | push 0xffff // 56 | push esi // 8b35???????? | // ffd6 | call esi $sequence_6 = { ff15???????? 8b1d???????? 8d85a8feffff 50 } // n = 4, score = 400 // ff15???????? | // 8b1d???????? | // 8d85a8feffff | lea eax, [ebp - 0x158] // 50 | push eax $sequence_7 = { 895e10 c7461401000000 4d8d8680000000 418900 4989b688000000 } // n = 5, score = 400 // 895e10 | xor edx, edx // c7461401000000 | dec ecx // 4d8d8680000000 | lea ecx, [esi + 0x70] // 418900 | test eax, eax // 4989b688000000 | mov dword ptr [esi + 0x10], ebx $sequence_8 = { 897e04 5b 5f 5e 5d c20400 55 } // n = 7, score = 400 // 897e04 | mov dword ptr [esi + 4], edi // 5b | pop ebx // 5f | pop edi // 5e | pop esi // 5d | pop ebp // c20400 | ret 4 // 55 | push ebp $sequence_9 = { 83c40c 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff } // n = 6, score = 400 // 83c40c | add esp, 0xc // 8d85f8feffff | lea eax, [ebp - 0x108] // 6804010000 | push 0x104 // 50 | push eax // ff15???????? | // 8d85f8feffff | lea eax, [ebp - 0x108] $sequence_10 = { b8f5ffffff eb13 b8fcffffff eb0c b8fdffffff eb05 } // n = 6, score = 400 // b8f5ffffff | dec eax // eb13 | lea ecx, [esp + 0x60] // b8fcffffff | dec eax // eb0c | arpl ax, cx // b8fdffffff | dec eax // eb05 | lea ecx, [esp + 0x60] $sequence_11 = { 488bcb 664489642438 488bf0 ff15???????? 0fb7cf 8944243c ff15???????? } // n = 7, score = 400 // 488bcb | dec eax // 664489642438 | mov ecx, ebx // 488bf0 | inc sp // ff15???????? | // 0fb7cf | mov dword ptr [esp + 0x38], esp // 8944243c | dec eax // ff15???????? | $sequence_12 = { 4863c8 807c0c5f5c 7413 488d4c2460 } // n = 4, score = 400 // 4863c8 | arpl ax, cx // 807c0c5f5c | mov byte ptr [ebp + ecx + 0x280], 0x45 // 7413 | dec eax // 488d4c2460 | lea ecx, [ebp + 0x280] $sequence_13 = { ff15???????? 85c0 7426 8b400c } // n = 4, score = 400 // ff15???????? | // 85c0 | test eax, eax // 7426 | je 0x28 // 8b400c | mov eax, dword ptr [eax + 0xc] $sequence_14 = { 33d2 498d4e70 ff15???????? 85c0 } // n = 4, score = 400 // 33d2 | mov esi, eax // 498d4e70 | movzx ecx, di // ff15???????? | // 85c0 | mov dword ptr [esp + 0x3c], eax $sequence_15 = { 7413 488d4c2460 ff15???????? 4863c8 } // n = 4, score = 400 // 7413 | dec eax // 488d4c2460 | mov ecx, dword ptr [ebp + 0x4f0] // ff15???????? | // 4863c8 | dec eax $sequence_16 = { 4c8d0535120100 33c0 498bd0 3b0a 740e } // n = 5, score = 200 // 4c8d0535120100 | inc ecx // 33c0 | mov dword ptr [esi + 0x84], 4 // 498bd0 | inc ebp // 3b0a | xor ecx, ecx // 740e | xor edx, edx $sequence_17 = { 8b55ec 52 ff15???????? 8b4df0 } // n = 4, score = 200 // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 52 | push edx // ff15???????? | // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] $sequence_18 = { 4883c428 c3 4883ec28 e8???????? 4885c0 740a } // n = 6, score = 200 // 4883c428 | lea ecx, [esi + 0x70] // c3 | test eax, eax // 4883ec28 | dec eax // e8???????? | // 4885c0 | mov ecx, ebx // 740a | dec eax $sequence_19 = { 8a4c181c 888818384100 40 ebe9 } // n = 4, score = 200 // 8a4c181c | mov cl, byte ptr [eax + ebx + 0x1c] // 888818384100 | mov byte ptr [eax + 0x413818], cl // 40 | inc eax // ebe9 | jmp 0xffffffeb $sequence_20 = { 51 8b4508 8945fc 8b4dfc 8b11 8b4dfc } // n = 6, score = 200 // 51 | push ecx // 8b4508 | mov eax, dword ptr [ebp + 8] // 8945fc | mov dword ptr [ebp - 4], eax // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b11 | mov edx, dword ptr [ecx] // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_21 = { 00644b40 008c4b40008a46 0323 d188470383ee } // n = 4, score = 200 // 00644b40 | add byte ptr [ebx + ecx*2 + 0x40], ah // 008c4b40008a46 | add byte ptr [ebx + ecx*2 + 0x468a0040], cl // 0323 | add esp, dword ptr [ebx] // d188470383ee | ror dword ptr [eax - 0x117cfcb9], 1 $sequence_22 = { 85c0 752a 4c8d0502130100 8bd7 498bcd e8???????? 85c0 } // n = 7, score = 200 // 85c0 | inc ecx // 752a | mov dword ptr [esi + 0x84], 4 // 4c8d0502130100 | inc ebp // 8bd7 | xor ecx, ecx // 498bcd | xor edx, edx // e8???????? | // 85c0 | dec ecx $sequence_23 = { 668935???????? 498bd5 ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 } // n = 7, score = 200 // 668935???????? | // 498bd5 | dec ecx // ff15???????? | // 418d7c24e7 | lea ecx, [esi + 0x70] // 85c0 | test eax, eax // 752a | dec eax // 4c8d0502130100 | mov ecx, ebx $sequence_24 = { fa fa fa fa } // n = 4, score = 200 // fa | js 0x6c // fa | jae 0x72 // fa | imul esp, dword ptr [ebp + 0x72], 0x6e656761 // fa | je 0x30 $sequence_25 = { 6828010000 8d85ccfeffff 6a00 50 } // n = 4, score = 200 // 6828010000 | mov edx, dword ptr [ecx] // 8d85ccfeffff | mov ecx, dword ptr [ebp - 4] // 6a00 | cmp dword ptr [ebp + edx*4 - 0x188], 0 // 50 | jge 0x3e $sequence_26 = { 8bec 8b4508 56 8d34c5c0304100 833e00 } // n = 5, score = 200 // 8bec | mov ebp, esp // 8b4508 | mov eax, dword ptr [ebp + 8] // 56 | push esi // 8d34c5c0304100 | lea esi, [eax*8 + 0x4130c0] // 833e00 | cmp dword ptr [esi], 0 $sequence_27 = { 83bc9578feffff00 7d34 8b857cffffff 8b8c8578feffff 83c104 8b957cffffff } // n = 6, score = 200 // 83bc9578feffff00 | cmp dword ptr [ebp + edx*4 - 0x188], 0 // 7d34 | jge 0x36 // 8b857cffffff | mov eax, dword ptr [ebp - 0x84] // 8b8c8578feffff | mov ecx, dword ptr [ebp + eax*4 - 0x188] // 83c104 | add ecx, 4 // 8b957cffffff | mov edx, dword ptr [ebp - 0x84] $sequence_28 = { 7370 696465726167656e 742e 657865 } // n = 4, score = 200 // 7370 | mov ecx, dword ptr [ebp - 4] // 696465726167656e | mov dword ptr [eax + 0x20], ecx // 742e | mov edx, dword ptr [ebp - 8] // 657865 | add edx, 8 $sequence_29 = { cc 4c8d056c120100 498bd4 488bcd e8???????? 85c0 } // n = 6, score = 200 // cc | dec eax // 4c8d056c120100 | mov ecx, dword ptr [ebx + 0xc0] // 498bd4 | nop // 488bcd | dec eax // e8???????? | // 85c0 | mov ecx, dword ptr [ebx + 0xa8] $sequence_30 = { 636373 7673 6873742e65 7865 } // n = 4, score = 200 // 636373 | mov byte ptr [eax + 0x413818], cl // 7673 | inc eax // 6873742e65 | jmp 0xfffffff2 // 7865 | mov eax, dword ptr [ebp - 8] $sequence_31 = { 498bcd e8???????? 4c8d05b7120100 41b903000000 } // n = 4, score = 200 // 498bcd | mov ecx, dword ptr [ebp + 0x1b0] // e8???????? | // 4c8d05b7120100 | dec eax // 41b903000000 | xor ecx, esp $sequence_32 = { 45 6e 7669 726f 6e 6d 656e } // n = 7, score = 200 // 45 | push edx // 6e | jns 7 // 7669 | dec ecx // 726f | or ecx, 0xfffffff8 // 6e | inc ecx // 6d | mov byte ptr [ebp - 6], cl // 656e | mov edx, dword ptr [ebp + 0xc] $sequence_33 = { 8b45f8 8b4dfc 894820 8b55f8 83c208 52 ff15???????? } // n = 7, score = 200 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 894820 | mov dword ptr [eax + 0x20], ecx // 8b55f8 | mov edx, dword ptr [ebp - 8] // 83c208 | add edx, 8 // 52 | push edx // ff15???????? | $sequence_34 = { 744c 8b55f8 6bd268 035510 8b45fc 6bc068 } // n = 6, score = 200 // 744c | je 0x4e // 8b55f8 | mov edx, dword ptr [ebp - 8] // 6bd268 | imul edx, edx, 0x68 // 035510 | add edx, dword ptr [ebp + 0x10] // 8b45fc | mov eax, dword ptr [ebp - 4] // 6bc068 | imul eax, eax, 0x68 $sequence_35 = { 49 53 53 56 43 } // n = 5, score = 200 // 49 | mov eax, dword ptr [ebp - 0x84] // 53 | mov ecx, dword ptr [ebp + eax*4 - 0x188] // 53 | add ecx, 4 // 56 | mov edx, dword ptr [ebp - 0x84] // 43 | mov cl, byte ptr [eax + ebx + 0x1c] $sequence_36 = { 4533c0 418d5001 e9???????? 4053 4883ec20 8bd9 e8???????? } // n = 7, score = 200 // 4533c0 | mov ecx, eax // 418d5001 | dec esp // e9???????? | // 4053 | lea eax, [0x11235] // 4883ec20 | xor eax, eax // 8bd9 | dec ecx // e8???????? | $sequence_37 = { 488d0d950c0100 ff15???????? 4885c0 7419 488d15730c0100 488bc8 } // n = 6, score = 200 // 488d0d950c0100 | cmovne esi, edi // ff15???????? | // 4885c0 | lea eax, [ebp - 0x54] // 7419 | push eax // 488d15730c0100 | push 0x80000001 // 488bc8 | test eax, eax $sequence_38 = { 8d44243c 50 ffd3 8d44243c 50 } // n = 5, score = 100 // 8d44243c | push ebp // 50 | mov ebp, esp // ffd3 | xor ecx, ecx // 8d44243c | cmp dword ptr [ebp + 0xc], ecx // 50 | jbe 0x2c $sequence_39 = { 4c 89ce eb02 33ff 48 89da } // n = 6, score = 100 // 4c | imul esp, dword ptr [ebp + 0x72], 0x6e656761 // 89ce | je 0x38 // eb02 | js 0x72 // 33ff | jbe 0x6b // 48 | jb 0x71 // 89da | outsb dx, byte ptr [esi] $sequence_40 = { 660f7f45d0 660fd645e0 c745e800000000 66c745ec0000 ff15???????? } // n = 5, score = 100 // 660f7f45d0 | mov dl, byte ptr [ebp + 0x10] // 660fd645e0 | push esi // c745e800000000 | push dword ptr [ebp + 0x10] // 66c745ec0000 | push dword ptr [ebp + 0xc] // ff15???????? | $sequence_41 = { 7424 8d85ccfeffff 50 56 } // n = 4, score = 100 // 7424 | je 0x24 // 8d85ccfeffff | jne 0xffffffcd // 50 | push edi // 56 | push esi $sequence_42 = { 7422 68???????? 68???????? ff15???????? e8???????? } // n = 5, score = 100 // 7422 | outsb dx, byte ptr gs:[esi] // 68???????? | // 68???????? | // ff15???????? | // e8???????? | $sequence_43 = { 5a 48 8b4500 48 } // n = 4, score = 100 // 5a | insd dword ptr es:[edi], dx // 48 | outsb dx, byte ptr gs:[esi] // 8b4500 | jbe 0x6b // 48 | jb 0x71 $sequence_44 = { 75cb 57 ff15???????? 56 8d44245c } // n = 5, score = 100 // 75cb | outsb dx, byte ptr [esi] // 57 | insd dword ptr es:[edi], dx // ff15???????? | // 56 | outsb dx, byte ptr gs:[esi] // 8d44245c | je 5 $sequence_45 = { ff7510 ff750c ffd7 ff7518 } // n = 4, score = 100 // ff7510 | cli // ff750c | cli // ffd7 | cli // ff7518 | cli $sequence_46 = { 6a00 6800000080 6a00 6800000080 680000cf00 68???????? 8d842480000000 } // n = 7, score = 100 // 6a00 | call edi // 6800000080 | push dword ptr [ebp + 0x18] // 6a00 | push esi // 6800000080 | push esi // 680000cf00 | push dword ptr [ebp - 4] // 68???????? | // 8d842480000000 | call dword ptr [ebp - 0x14] $sequence_47 = { 50 ff35???????? ff15???????? 50 ff15???????? 50 6a00 } // n = 7, score = 100 // 50 | push 0x128 // ff35???????? | // ff15???????? | // 50 | lea eax, [ebp - 0x134] // ff15???????? | // 50 | push 0 // 6a00 | push eax $sequence_48 = { 8b9f98000000 8d541f05 3bc2 7609 83c705 } // n = 5, score = 100 // 8b9f98000000 | outsb dx, byte ptr [esi] // 8d541f05 | insd dword ptr es:[edi], dx // 3bc2 | outsb dx, byte ptr gs:[esi] // 7609 | je 8 // 83c705 | jae 0x72 $sequence_49 = { 55 8bec 33c9 394d0c 7623 8a5510 56 } // n = 7, score = 100 // 55 | jb 0x71 // 8bec | outsb dx, byte ptr [esi] // 33c9 | insd dword ptr es:[edi], dx // 394d0c | outsb dx, byte ptr gs:[esi] // 7623 | je 8 // 8a5510 | cli // 56 | cli condition: 7 of them and filesize < 417792 }
import "pe" rule win_microcin_w0 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200" hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46" hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_version = "20170413" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "e Class Descriptor at (" fullword ascii $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii $s4 = ".?AVCAppleBinRealClass@@" fullword ascii $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023") }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
