There is no description at this point.
rule win_microcin_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.microcin." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b05???????? 4833c4 488985b0010000 488bd9 488d4c2458 } // n = 5, score = 400 // 488b05???????? | // 4833c4 | mov esi, eax // 488985b0010000 | lea eax, [ebp - 0x318] // 488bd9 | push 0 // 488d4c2458 | push eax $sequence_1 = { ff15???????? 4863c8 807c0c5f5c 7413 488d4c2460 } // n = 5, score = 400 // ff15???????? | // 4863c8 | add esp, 0xc // 807c0c5f5c | lea eax, [esp + 0x58] // 7413 | push eax // 488d4c2460 | push 0x30 $sequence_2 = { 50 6805100000 68ffff0000 56 8b35???????? ffd6 } // n = 6, score = 400 // 50 | mov byte ptr [ebp + ecx + 0x280], 0x33 // 6805100000 | dec eax // 68ffff0000 | lea ecx, [ebp + 0x280] // 56 | dec eax // 8b35???????? | // ffd6 | lea ecx, [ebp - 0x70] $sequence_3 = { 83c40c 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff } // n = 6, score = 400 // 83c40c | dec ecx // 8d85f8feffff | mov ecx, dword ptr [esi] // 6804010000 | inc esp // 50 | mov eax, edi // ff15???????? | // 8d85f8feffff | dec eax $sequence_4 = { e8???????? 488d4de0 e9???????? 488d542430 } // n = 4, score = 400 // e8???????? | // 488d4de0 | lea eax, [esp + 0x10] // e9???????? | // 488d542430 | sar esi, 1 $sequence_5 = { 7422 03d8 3bdf 741c 498b0e 448bc7 4863d3 } // n = 7, score = 400 // 7422 | push 0 // 03d8 | push eax // 3bdf | lea eax, [esp + 0x10] // 741c | push eax // 498b0e | push esi // 448bc7 | push 0x10000003 // 4863d3 | push edi $sequence_6 = { 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff 46 50 } // n = 7, score = 400 // 85c0 | arpl bx, dx // 7e18 | dec eax // 80bc35a8feffff3a | mov ecx, ebx // 741f | dec eax // 8d85a8feffff | mov ecx, dword ptr [ebp + 0x1b0] // 46 | dec eax // 50 | xor ecx, esp $sequence_7 = { 897e04 5b 5f 5e 5d c20400 55 } // n = 7, score = 400 // 897e04 | dec eax // 5b | lea ecx, [ebp + 0xa0] // 5f | mov byte ptr [ebp + ecx + 0x280], 0x34 // 5e | dec eax // 5d | lea ecx, [ebp + 0x280] // c20400 | dec eax // 55 | arpl ax, cx $sequence_8 = { 8b1d???????? 8d85a8feffff 50 ffd3 } // n = 4, score = 400 // 8b1d???????? | // 8d85a8feffff | test eax, eax // 50 | jle 0x1e // ffd3 | cmp byte ptr [ebp + esi - 0x158], 0x3a $sequence_9 = { 8d45ac 50 6801000080 ff15???????? 85c0 } // n = 5, score = 400 // 8d45ac | mov dword ptr [esp + 0x48], 0x41457349 // 50 | xor edx, edx // 6801000080 | dec eax // ff15???????? | // 85c0 | mov ebx, eax $sequence_10 = { 33d2 488bd8 ff15???????? 488d8da0000000 } // n = 4, score = 400 // 33d2 | xor eax, esp // 488bd8 | mov dword ptr [esp + 0x14], eax // ff15???????? | // 488d8da0000000 | mov ecx, dword ptr [ebp + 0xc] $sequence_11 = { 7515 c74424484c773373 c744244c31674d5a e9???????? c744244849734541 } // n = 5, score = 400 // 7515 | push eax // c74424484c773373 | call ebx // c744244c31674d5a | and esp, 0xfffffff8 // e9???????? | // c744244849734541 | sub esp, 0x18 $sequence_12 = { 4863c8 c6840d8002000077 488d8d80020000 ff15???????? } // n = 4, score = 400 // 4863c8 | push ecx // c6840d8002000077 | push esi // 488d8d80020000 | push 0x208 // ff15???????? | $sequence_13 = { 488bcb ff15???????? 488b8db0010000 4833cc } // n = 4, score = 400 // 488bcb | ret 0x10 // ff15???????? | // 488b8db0010000 | push edi // 4833cc | push dword ptr [ebp + 0x10] $sequence_14 = { 50 ffd3 85c0 7e18 80bc35a8feffff3a } // n = 5, score = 400 // 50 | dec eax // ffd3 | arpl ax, cx // 85c0 | mov byte ptr [ebp + ecx + 0x280], 0x77 // 7e18 | dec eax // 80bc35a8feffff3a | lea ecx, [ebp + 0x280] $sequence_15 = { ff15???????? 85c0 7426 8b400c } // n = 4, score = 400 // ff15???????? | // 85c0 | je 0x2b // 7426 | push eax // 8b400c | push esi $sequence_16 = { 4889742420 e8???????? cc 4c8d056c120100 } // n = 4, score = 200 // 4889742420 | dec eax // e8???????? | // cc | sub esp, 0x20 // 4c8d056c120100 | mov ebx, ecx $sequence_17 = { 6a00 8b4d14 51 68???????? } // n = 4, score = 200 // 6a00 | push 0 // 8b4d14 | mov ecx, dword ptr [ebp + 0x14] // 51 | push ecx // 68???????? | $sequence_18 = { 8bec 83ec10 56 57 c745f400000000 eb09 } // n = 6, score = 200 // 8bec | mov ebp, esp // 83ec10 | sub esp, 0x10 // 56 | push esi // 57 | push edi // c745f400000000 | mov dword ptr [ebp - 0xc], 0 // eb09 | jmp 0xb $sequence_19 = { 4c8d0502130100 8bd7 498bcd e8???????? 85c0 7415 4533c9 } // n = 7, score = 200 // 4c8d0502130100 | lea edx, [0x111f8] // 8bd7 | inc ecx // 498bcd | mov eax, 0x12010 // e8???????? | // 85c0 | dec eax // 7415 | mov ecx, ebp // 4533c9 | dec esp $sequence_20 = { 4883f83c 7647 498bcd e8???????? 4c8d05b7120100 } // n = 5, score = 200 // 4883f83c | jne 0x1c // 7647 | dec eax // 498bcd | lea edx, [0x111f8] // e8???????? | // 4c8d05b7120100 | inc ecx $sequence_21 = { 6828010000 8d85ccfeffff 6a00 50 } // n = 4, score = 200 // 6828010000 | push 0x128 // 8d85ccfeffff | lea eax, [ebp - 0x134] // 6a00 | push 0 // 50 | push eax $sequence_22 = { 8b45f4 0345f8 83f831 0f858e000000 } // n = 4, score = 200 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 0345f8 | add eax, dword ptr [ebp - 8] // 83f831 | cmp eax, 0x31 // 0f858e000000 | jne 0x94 $sequence_23 = { 636373 7673 6873742e65 7865 } // n = 4, score = 200 // 636373 | arpl word ptr [ebx + 0x73], sp // 7673 | jbe 0x75 // 6873742e65 | push 0x652e7473 // 7865 | js 0x67 $sequence_24 = { 418d5001 e9???????? 4053 4883ec20 8bd9 } // n = 5, score = 200 // 418d5001 | inc ecx // e9???????? | // 4053 | lea edx, [eax + 1] // 4883ec20 | inc eax // 8bd9 | push ebx $sequence_25 = { eb0e 8b550c 0fb602 83c001 8b4d0c } // n = 5, score = 200 // eb0e | jmp 0x10 // 8b550c | mov edx, dword ptr [ebp + 0xc] // 0fb602 | movzx eax, byte ptr [edx] // 83c001 | add eax, 1 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] $sequence_26 = { 7370 696465726167656e 742e 657865 } // n = 4, score = 200 // 7370 | jae 0x72 // 696465726167656e | imul esp, dword ptr [ebp + 0x72], 0x6e656761 // 742e | je 0x30 // 657865 | js 0x68 $sequence_27 = { 418d7c24e7 85c0 752a 4c8d0502130100 8bd7 498bcd } // n = 6, score = 200 // 418d7c24e7 | inc eax // 85c0 | push ebx // 752a | dec eax // 4c8d0502130100 | sub esp, 0x20 // 8bd7 | mov ebx, ecx // 498bcd | test eax, eax $sequence_28 = { 8b4df0 890c85003c4100 eb14 8b5514 } // n = 4, score = 200 // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] // 890c85003c4100 | mov dword ptr [eax*4 + 0x413c00], ecx // eb14 | jmp 0x16 // 8b5514 | mov edx, dword ptr [ebp + 0x14] $sequence_29 = { 8945f8 817df8c8000000 7d44 c745f400000000 } // n = 4, score = 200 // 8945f8 | mov dword ptr [ebp - 8], eax // 817df8c8000000 | cmp dword ptr [ebp - 8], 0xc8 // 7d44 | jge 0x46 // c745f400000000 | mov dword ptr [ebp - 0xc], 0 $sequence_30 = { 6a00 8b550c 52 68???????? 6a00 6a00 ff15???????? } // n = 7, score = 200 // 6a00 | push 0 // 8b550c | mov edx, dword ptr [ebp + 0xc] // 52 | push edx // 68???????? | // 6a00 | push 0 // 6a00 | push 0 // ff15???????? | $sequence_31 = { 85c0 751a 488d15f8110100 41b810200100 } // n = 4, score = 200 // 85c0 | inc ebp // 751a | xor eax, eax // 488d15f8110100 | inc ecx // 41b810200100 | lea edx, [eax + 1] $sequence_32 = { 49 53 53 56 43 } // n = 5, score = 200 // 49 | dec ecx // 53 | push ebx // 53 | push ebx // 56 | push esi // 43 | inc ebx $sequence_33 = { 488d15f8110100 41b810200100 488bcd e8???????? } // n = 4, score = 200 // 488d15f8110100 | test eax, eax // 41b810200100 | jne 0x1e // 488bcd | dec eax // e8???????? | $sequence_34 = { 6e 7669 726f 6e 6d 656e 7400 } // n = 7, score = 200 // 6e | outsb dx, byte ptr [esi] // 7669 | jbe 0x6b // 726f | jb 0x71 // 6e | outsb dx, byte ptr [esi] // 6d | insd dword ptr es:[edi], dx // 656e | outsb dx, byte ptr gs:[esi] // 7400 | je 2 $sequence_35 = { fa fa fa fa fa fa } // n = 6, score = 200 // fa | cli // fa | cli // fa | cli // fa | cli // fa | cli // fa | cli $sequence_36 = { 898c9578feffff 8b857cffffff 8b4c8584 83e901 8b957cffffff 894c9584 } // n = 6, score = 200 // 898c9578feffff | mov dword ptr [ebp + edx*4 - 0x188], ecx // 8b857cffffff | mov eax, dword ptr [ebp - 0x84] // 8b4c8584 | mov ecx, dword ptr [ebp + eax*4 - 0x7c] // 83e901 | sub ecx, 1 // 8b957cffffff | mov edx, dword ptr [ebp - 0x84] // 894c9584 | mov dword ptr [ebp + edx*4 - 0x7c], ecx $sequence_37 = { e8???????? 4c8d05b7120100 41b903000000 488d4c45bc } // n = 4, score = 200 // e8???????? | // 4c8d05b7120100 | dec esp // 41b903000000 | lea eax, [0x11302] // 488d4c45bc | mov edx, edi $sequence_38 = { 83e4f8 83ec18 a1???????? 33c4 89442414 8b4d0c 56 } // n = 7, score = 100 // 83e4f8 | jge 0x4d // 83ec18 | mov dword ptr [ebp - 0xc], 0 // a1???????? | // 33c4 | mov byte ptr [ebp - 9], dl // 89442414 | lea eax, [ebp - 0xc] // 8b4d0c | push eax // 56 | mov dword ptr [ebp - 0x18], eax $sequence_39 = { ff743810 ff45dc 8d85c0fdffff 50 } // n = 4, score = 100 // ff743810 | push dword ptr [eax + edi + 0x10] // ff45dc | inc dword ptr [ebp - 0x24] // 8d85c0fdffff | lea eax, [ebp - 0x240] // 50 | push eax $sequence_40 = { d1fe 6a55 ff34f5e0a24000 ff7508 } // n = 4, score = 100 // d1fe | push 0 // 6a55 | mov edx, dword ptr [ebp + 0xc] // ff34f5e0a24000 | push edx // ff7508 | push 0 $sequence_41 = { c7470405000000 ff7614 e8???????? 83c414 5b 85c0 } // n = 6, score = 100 // c7470405000000 | mov dword ptr [edi + 4], 5 // ff7614 | push dword ptr [esi + 0x14] // e8???????? | // 83c414 | add esp, 0x14 // 5b | pop ebx // 85c0 | test eax, eax $sequence_42 = { 56 ff15???????? 6808020000 8bf0 8d85e8fcffff 6a00 50 } // n = 7, score = 100 // 56 | jne 0x9a // ff15???????? | // 6808020000 | push 0 // 8bf0 | mov ecx, dword ptr [ebp + 0x14] // 8d85e8fcffff | push ecx // 6a00 | push 0 // 50 | mov edx, dword ptr [ebp + 0xc] $sequence_43 = { 8d442410 50 56 6803000010 57 } // n = 5, score = 100 // 8d442410 | mov dword ptr [ebp - 0xc], 0 // 50 | jmp 0x14 // 56 | mov ecx, dword ptr [ebp - 0x10] // 6803000010 | mov dword ptr [eax*4 + 0x413c00], ecx // 57 | jmp 0x16 $sequence_44 = { 85c0 7420 83f8ff 7412 8d44243c 50 ffd3 } // n = 7, score = 100 // 85c0 | jmp 0x10 // 7420 | mov edx, dword ptr [ebp + 0xc] // 83f8ff | movzx eax, byte ptr [edx] // 7412 | add eax, 1 // 8d44243c | mov ecx, dword ptr [ebp + 0xc] // 50 | mov dword ptr [ebp - 8], eax // ffd3 | cmp dword ptr [ebp - 8], 0xc8 $sequence_45 = { 83c40c 8d442458 68???????? 50 ff15???????? 6a30 8d442410 } // n = 7, score = 100 // 83c40c | push edx // 8d442458 | push 0 // 68???????? | // 50 | push 0 // ff15???????? | // 6a30 | mov ecx, dword ptr [ebp + 8] // 8d442410 | push ecx $sequence_46 = { 45 33db 89c7 49 } // n = 4, score = 100 // 45 | inc ebp // 33db | xor ebx, ebx // 89c7 | mov edi, eax // 49 | dec ecx $sequence_47 = { 49 8b4d28 e8???????? 85c0 741b } // n = 5, score = 100 // 49 | dec ecx // 8b4d28 | mov ecx, dword ptr [ebp + 0x28] // e8???????? | // 85c0 | test eax, eax // 741b | je 0x1d $sequence_48 = { c21000 57 ff7510 51 } // n = 4, score = 100 // c21000 | mov edx, dword ptr [ebp + 0x14] // 57 | mov eax, dword ptr [ebp - 0xc] // ff7510 | add eax, dword ptr [ebp - 8] // 51 | cmp eax, 0x31 $sequence_49 = { 44 2bc5 44 017950 4d 8b4e18 45 } // n = 7, score = 100 // 44 | inc esp // 2bc5 | sub eax, ebp // 44 | inc esp // 017950 | add dword ptr [ecx + 0x50], edi // 4d | dec ebp // 8b4e18 | mov ecx, dword ptr [esi + 0x18] // 45 | inc ebp condition: 7 of them and filesize < 417792 }
import "pe" rule win_microcin_w0 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" hash = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200" hash = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46" hash = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_version = "20170413" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "e Class Descriptor at (" fullword ascii $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii $s4 = ".?AVCAppleBinRealClass@@" fullword ascii $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023") }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
