There is no description at this point.
rule win_microcin_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b8df0040000 4833cc e8???????? 4881c400060000 415f } // n = 5, score = 300 // 488b8df0040000 | dec eax // 4833cc | lea ecx, [esp + 0x60] // e8???????? | // 4881c400060000 | dec eax // 415f | arpl ax, cx $sequence_1 = { 7413 488d4c2460 ff15???????? 4863c8 } // n = 4, score = 300 // 7413 | jmp 0xe // 488d4c2460 | mov eax, 0xfffffffd // ff15???????? | // 4863c8 | je 0x15 $sequence_2 = { 488bcb ff15???????? 488b8db0010000 4833cc e8???????? } // n = 5, score = 300 // 488bcb | mov byte ptr [esp + ecx + 0x60], 0x5c // ff15???????? | // 488b8db0010000 | dec eax // 4833cc | lea edx, [esp + 0x44] // e8???????? | $sequence_3 = { 57 4154 4156 4157 488dac2400fbffff 4881ec00060000 488b05???????? } // n = 7, score = 300 // 57 | dec eax // 4154 | mov ecx, dword ptr [ebp + 0x4f0] // 4156 | dec eax // 4157 | xor ecx, esp // 488dac2400fbffff | dec eax // 4881ec00060000 | add esp, 0x600 // 488b05???????? | $sequence_4 = { c74424484c773373 c744244c31674d5a e9???????? c744244849734541 c744244c7246316b } // n = 5, score = 300 // c74424484c773373 | mov ecx, dword ptr [ebp + 0x1b0] // c744244c31674d5a | dec eax // e9???????? | // c744244849734541 | xor ecx, esp // c744244c7246316b | push edi $sequence_5 = { ff15???????? 4863c8 c6840d8002000075 488d8d80020000 } // n = 4, score = 300 // ff15???????? | // 4863c8 | dec eax // c6840d8002000075 | arpl ax, cx // 488d8d80020000 | mov byte ptr [ebp + ecx + 0x280], 0x75 $sequence_6 = { 488d8d80020000 ff15???????? 4863c8 c6840d8002000068 488d8d80020000 ff15???????? 4863c8 } // n = 7, score = 300 // 488d8d80020000 | inc ecx // ff15???????? | // 4863c8 | pop edi // c6840d8002000068 | dec eax // 488d8d80020000 | mov ecx, ebx // ff15???????? | // 4863c8 | dec eax $sequence_7 = { b8f5ffffff eb13 b8fcffffff eb0c b8fdffffff } // n = 5, score = 300 // b8f5ffffff | dec eax // eb13 | lea ecx, [ebp + 0x280] // b8fcffffff | mov eax, 0xfffffff5 // eb0c | jmp 0x1a // b8fdffffff | mov eax, 0xfffffffc $sequence_8 = { 636373 7673 6873742e65 7865 } // n = 4, score = 200 // 636373 | add eax, dword ptr [ecx + 0x20] // 7673 | mov byte ptr [ebp - 5], al // 6873742e65 | mov edx, dword ptr [ebp - 0xc] // 7865 | mov eax, dword ptr [edx + 0x20] $sequence_9 = { 83c001 8945fc c7857cdfffff00000000 eb0f 8b8d7cdfffff } // n = 5, score = 200 // 83c001 | add eax, 1 // 8945fc | mov dword ptr [ebp - 4], eax // c7857cdfffff00000000 | mov dword ptr [ebp - 0x2084], 0 // eb0f | jmp 0x11 // 8b8d7cdfffff | mov ecx, dword ptr [ebp - 0x2084] $sequence_10 = { 83c8ff 4883c428 c3 4883ec28 e8???????? 4885c0 } // n = 6, score = 200 // 83c8ff | dec eax // 4883c428 | mov ecx, ebp // c3 | test eax, eax // 4883ec28 | jne 0x21 // e8???????? | // 4885c0 | dec eax $sequence_11 = { ff15???????? 8b1d???????? 8d85a8feffff 50 } // n = 4, score = 200 // ff15???????? | // 8b1d???????? | // 8d85a8feffff | lea eax, [ebp - 0x158] // 50 | push eax $sequence_12 = { 7419 488d15730c0100 488bc8 ff15???????? 4885c0 7404 8bcb } // n = 7, score = 200 // 7419 | xor ecx, ecx // 488d15730c0100 | dec eax // 488bc8 | mov dword ptr [esp + 0x20], esi // ff15???????? | // 4885c0 | int3 // 7404 | dec esp // 8bcb | lea eax, [0x1126c] $sequence_13 = { 50 6805100000 68ffff0000 56 8b35???????? } // n = 5, score = 200 // 50 | push eax // 6805100000 | push 0x1005 // 68ffff0000 | push 0xffff // 56 | push esi // 8b35???????? | $sequence_14 = { 488bcd e8???????? 85c0 751a 488d15f8110100 41b810200100 } // n = 6, score = 200 // 488bcd | mov byte ptr [ebp + ecx + 0x280], 0x34 // e8???????? | // 85c0 | dec eax // 751a | lea ecx, [ebp + 0x280] // 488d15f8110100 | dec eax // 41b810200100 | test eax, eax $sequence_15 = { 6a00 6a00 ff15???????? 8945ec 8b4df0 } // n = 5, score = 200 // 6a00 | push 0 // 6a00 | push 0 // ff15???????? | // 8945ec | mov dword ptr [ebp - 0x14], eax // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] $sequence_16 = { 668935???????? 498bd5 ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 } // n = 7, score = 200 // 668935???????? | // 498bd5 | lea ecx, [0x10c95] // ff15???????? | // 418d7c24e7 | dec eax // 85c0 | test eax, eax // 752a | je 0x27 // 4c8d0502130100 | dec eax $sequence_17 = { 7647 498bcd e8???????? 4c8d05b7120100 41b903000000 488d4c45bc } // n = 6, score = 200 // 7647 | lea edx, [0x10c73] // 498bcd | int3 // e8???????? | // 4c8d05b7120100 | dec esp // 41b903000000 | lea eax, [0x1126c] // 488d4c45bc | dec ecx $sequence_18 = { cc 4c8d056c120100 498bd4 488bcd e8???????? } // n = 5, score = 200 // cc | jne 0x17 // 4c8d056c120100 | mov dword ptr [esp + 0x48], 0x7333774c // 498bd4 | mov dword ptr [esp + 0x4c], 0x5a4d6731 // 488bcd | mov dword ptr [esp + 0x48], 0x41457349 // e8???????? | $sequence_19 = { b904000000 f7f1 83fa03 750b } // n = 4, score = 200 // b904000000 | mov ecx, 4 // f7f1 | div ecx // 83fa03 | cmp edx, 3 // 750b | jne 0xd $sequence_20 = { 8945fc 8d8da0f4ffff e8???????? c785c4f4ffff1a000000 } // n = 4, score = 200 // 8945fc | mov dword ptr [ebp - 4], eax // 8d8da0f4ffff | lea ecx, [ebp - 0xb60] // e8???????? | // c785c4f4ffff1a000000 | mov dword ptr [ebp - 0xb3c], 0x1a $sequence_21 = { 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff } // n = 5, score = 200 // 85c0 | test eax, eax // 7e18 | jle 0x1a // 80bc35a8feffff3a | cmp byte ptr [ebp + esi - 0x158], 0x3a // 741f | je 0x21 // 8d85a8feffff | lea eax, [ebp - 0x158] $sequence_22 = { 45 6e 7669 726f 6e } // n = 5, score = 200 // 45 | mov dword ptr [ebp - 0x2084], 0 // 6e | jmp 0x1b // 7669 | mov ecx, dword ptr [ebp - 0x2084] // 726f | movzx eax, byte ptr [ebp - 5] // 6e | mov ecx, dword ptr [ebp - 0xc] $sequence_23 = { 6828010000 8d85ccfeffff 6a00 50 } // n = 4, score = 200 // 6828010000 | cmp edx, 3 // 8d85ccfeffff | jne 0x10 // 6a00 | add eax, 1 // 50 | mov dword ptr [ebp - 4], eax $sequence_24 = { 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff 50 } // n = 6, score = 200 // 8d85f8feffff | lea eax, [ebp - 0x108] // 6804010000 | push 0x104 // 50 | push eax // ff15???????? | // 8d85f8feffff | lea eax, [ebp - 0x108] // 50 | push eax $sequence_25 = { 56 ff15???????? 85c0 0f45f7 } // n = 4, score = 200 // 56 | push esi // ff15???????? | // 85c0 | test eax, eax // 0f45f7 | cmovne esi, edi $sequence_26 = { 7370 696465726167656e 742e 657865 } // n = 4, score = 200 // 7370 | cli // 696465726167656e | cli // 742e | cli // 657865 | cli $sequence_27 = { 894c9580 ba20000000 2b957cffffff 8b857cffffff 8b4d0c } // n = 5, score = 200 // 894c9580 | mov dword ptr [ebp + edx*4 - 0x80], ecx // ba20000000 | mov edx, 0x20 // 2b957cffffff | sub edx, dword ptr [ebp - 0x84] // 8b857cffffff | mov eax, dword ptr [ebp - 0x84] // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] $sequence_28 = { ff15???????? 0fb645fb 8b4df4 034120 8845fb 8b55f4 8b4220 } // n = 7, score = 200 // ff15???????? | // 0fb645fb | movzx eax, byte ptr [ebp - 5] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 034120 | add eax, dword ptr [ecx + 0x20] // 8845fb | mov byte ptr [ebp - 5], al // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // 8b4220 | mov eax, dword ptr [edx + 0x20] $sequence_29 = { ff15???????? 8b3d???????? 8d85e0feffff 50 } // n = 4, score = 200 // ff15???????? | // 8b3d???????? | // 8d85e0feffff | lea eax, [ebp - 0x120] // 50 | push eax $sequence_30 = { 726f 6e 6d 656e 7400 } // n = 5, score = 200 // 726f | cli // 6e | cli // 6d | cli // 656e | inc ebp // 7400 | outsb dx, byte ptr [esi] $sequence_31 = { 4c8d0574130100 488bcd 418bd4 e8???????? } // n = 4, score = 200 // 4c8d0574130100 | lea eax, [0x1126c] // 488bcd | dec ecx // 418bd4 | mov edx, esp // e8???????? | $sequence_32 = { 8d45ac 50 6801000080 ff15???????? } // n = 4, score = 200 // 8d45ac | lea eax, [ebp - 0x54] // 50 | push eax // 6801000080 | push 0x80000001 // ff15???????? | $sequence_33 = { fa fa fa fa fa fa fa } // n = 7, score = 200 // fa | mov dword ptr [ebp + edx*4 - 0x80], ecx // fa | mov edx, 0x20 // fa | sub edx, dword ptr [ebp - 0x84] // fa | mov eax, dword ptr [ebp - 0x84] // fa | mov ecx, dword ptr [ebp + 0xc] // fa | push 0 // fa | push 0 $sequence_34 = { ff75d4 e8???????? 83c40c 8bc7 } // n = 4, score = 200 // ff75d4 | push dword ptr [ebp - 0x2c] // e8???????? | // 83c40c | add esp, 0xc // 8bc7 | mov eax, edi $sequence_35 = { 7d44 c745f400000000 eb09 8b4df4 83c103 894df4 } // n = 6, score = 200 // 7d44 | jge 0x46 // c745f400000000 | mov dword ptr [ebp - 0xc], 0 // eb09 | jmp 0xb // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 83c103 | add ecx, 3 // 894df4 | mov dword ptr [ebp - 0xc], ecx $sequence_36 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? 4885c0 7419 488d15730c0100 } // n = 7, score = 200 // 4883ec20 | lea eax, [esp + 0x10] // 8bd9 | push eax // 488d0d950c0100 | push 0 // ff15???????? | // 4885c0 | push 0x10000003 // 7419 | dec eax // 488d15730c0100 | test eax, eax $sequence_37 = { 49 53 53 56 } // n = 4, score = 200 // 49 | jbe 0x6b // 53 | jb 0x73 // 53 | outsb dx, byte ptr [esi] // 56 | insd dword ptr es:[edi], dx $sequence_38 = { 8955f8 c745f400000000 eb09 8b55f4 83c202 } // n = 5, score = 200 // 8955f8 | mov dword ptr [ebp - 8], edx // c745f400000000 | mov dword ptr [ebp - 0xc], 0 // eb09 | jmp 0xb // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // 83c202 | add edx, 2 $sequence_39 = { 50 ff15???????? 0fb785c4feffff 50 } // n = 4, score = 100 // 50 | mov dword ptr [ebp - 0x88], 0x3c // ff15???????? | // 0fb785c4feffff | push eax // 50 | mov dword ptr [edi], eax $sequence_40 = { 3bce 72f3 6a00 ff35???????? ff15???????? 3d404b4c00 } // n = 6, score = 100 // 3bce | outsb dx, byte ptr [esi] // 72f3 | jbe 0x6b // 6a00 | jb 0x73 // ff35???????? | // ff15???????? | // 3d404b4c00 | outsb dx, byte ptr [esi] $sequence_41 = { 8d85acfeffff 50 ff35???????? ff15???????? 50 } // n = 5, score = 100 // 8d85acfeffff | mov dword ptr [ebp - 0x78], eax // 50 | lea eax, [ebp - 0x18c] // ff35???????? | // ff15???????? | // 50 | mov dword ptr [ebp - 0x74], eax $sequence_42 = { ffd6 6a01 58 ebb9 55 } // n = 5, score = 100 // ffd6 | dec eax // 6a01 | lea ecx, [ebp + eax*2 - 0x44] // 58 | dec eax // ebb9 | mov eax, ecx // 55 | or eax, 0xffffffff $sequence_43 = { 68???????? eb29 6a20 8d45bc } // n = 4, score = 100 // 68???????? | // eb29 | outsb dx, byte ptr [esi] // 6a20 | insd dword ptr es:[edi], dx // 8d45bc | inc ebp $sequence_44 = { 894588 8d8574feffff 89458c 83c42c 8d8578ffffff 50 c78578ffffff3c000000 } // n = 7, score = 100 // 894588 | cli // 8d8574feffff | cli // 89458c | cli // 83c42c | cli // 8d8578ffffff | cli // 50 | cli // c78578ffffff3c000000 | jbe 0x6b $sequence_45 = { 8d85d4f4ffff 50 ff15???????? 6804010000 } // n = 4, score = 100 // 8d85d4f4ffff | insd dword ptr es:[edi], dx // 50 | outsb dx, byte ptr gs:[esi] // ff15???????? | // 6804010000 | je 4 $sequence_46 = { 8b0410 45 2b4330 44 8902 } // n = 5, score = 100 // 8b0410 | dec eax // 45 | add esp, 0x28 // 2b4330 | ret // 44 | dec eax // 8902 | sub esp, 0x28 $sequence_47 = { ff15???????? 8bf8 85ff 7523 56 8d44245c } // n = 6, score = 100 // ff15???????? | // 8bf8 | push dword ptr [esi + 0x14] // 85ff | add esp, 0x14 // 7523 | test eax, eax // 56 | push 0x128 // 8d44245c | lea eax, [ebp - 0x134] $sequence_48 = { 68a00f0000 56 ff15???????? 8934fd58d04000 } // n = 4, score = 100 // 68a00f0000 | add esp, 0x2c // 56 | lea eax, [ebp - 0x88] // ff15???????? | // 8934fd58d04000 | push eax condition: 7 of them and filesize < 417792 }
import "pe" rule win_microcin_w0 { meta: description = "Malware sample mentioned in Microcin technical report by Kaspersky" author = "Florian Roth" reference = "https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf" date = "2017-09-26" hash1 = "49816eefcd341d7a9c1715e1f89143862d4775ba4f9730397a1e8529f5f5e200" hash2 = "a73f8f76a30ad5ab03dd503cc63de3a150e6ab75440c1060d75addceb4270f46" hash3 = "9dd9bb13c2698159eb78a0ecb4e8692fd96ca4ecb50eef194fa7479cb65efb7c" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" malpedia_version = "20170413" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "e Class Descriptor at (" fullword ascii $s2 = ".?AVCAntiAntiAppleFrameRealClass@@" fullword ascii $s3 = ".?AVCAntiAntiAppleFrameBaseClass@@" fullword ascii $s4 = ".?AVCAppleBinRealClass@@" fullword ascii $s5 = ".?AVCAppleBinBaseClass@@" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and (4 of them or pe.imphash() == "897077ca318eaf629cfe74569f10e023") }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
