Ransomware, potential rebranding of win.sfile.
rule win_mindware_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.mindware." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0fb689f0d84400 314d10 8b4d10 334dec 330d???????? } // n = 5, score = 100 // 0fb689f0d84400 | movzx ecx, byte ptr [ecx + 0x44d8f0] // 314d10 | xor dword ptr [ebp + 0x10], ecx // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 334dec | xor ecx, dword ptr [ebp - 0x14] // 330d???????? | $sequence_1 = { 660fefca f30f7f0a 660f6fd1 75c0 8d05a0914400 660f6f00 } // n = 6, score = 100 // 660fefca | pxor xmm1, xmm2 // f30f7f0a | movdqu xmmword ptr [edx], xmm1 // 660f6fd1 | movdqa xmm2, xmm1 // 75c0 | jne 0xffffffc2 // 8d05a0914400 | lea eax, [0x4491a0] // 660f6f00 | movdqa xmm0, xmmword ptr [eax] $sequence_2 = { c785d0ebffff90d34300 c785d4ebffff98d34300 c785d8ebffffb8d34300 c785dcebffffc0d34300 c785e0ebffffc8d34300 c785e4ebffffd0d34300 c785e8ebffffe0d34300 } // n = 7, score = 100 // c785d0ebffff90d34300 | mov dword ptr [ebp - 0x1430], 0x43d390 // c785d4ebffff98d34300 | mov dword ptr [ebp - 0x142c], 0x43d398 // c785d8ebffffb8d34300 | mov dword ptr [ebp - 0x1428], 0x43d3b8 // c785dcebffffc0d34300 | mov dword ptr [ebp - 0x1424], 0x43d3c0 // c785e0ebffffc8d34300 | mov dword ptr [ebp - 0x1420], 0x43d3c8 // c785e4ebffffd0d34300 | mov dword ptr [ebp - 0x141c], 0x43d3d0 // c785e8ebffffe0d34300 | mov dword ptr [ebp - 0x1418], 0x43d3e0 $sequence_3 = { c745fc???????? 8d55cc 52 8b4508 83c010 50 ff15???????? } // n = 7, score = 100 // c745fc???????? | // 8d55cc | lea edx, [ebp - 0x34] // 52 | push edx // 8b4508 | mov eax, dword ptr [ebp + 8] // 83c010 | add eax, 0x10 // 50 | push eax // ff15???????? | $sequence_4 = { 7427 8b4d0c 894d98 8b5598 8b45cc 3b4204 7f16 } // n = 7, score = 100 // 7427 | je 0x29 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 894d98 | mov dword ptr [ebp - 0x68], ecx // 8b5598 | mov edx, dword ptr [ebp - 0x68] // 8b45cc | mov eax, dword ptr [ebp - 0x34] // 3b4204 | cmp eax, dword ptr [edx + 4] // 7f16 | jg 0x18 $sequence_5 = { 8b55fc c7424000000000 c7424400000000 ff15???????? } // n = 4, score = 100 // 8b55fc | mov edx, dword ptr [ebp - 4] // c7424000000000 | mov dword ptr [edx + 0x40], 0 // c7424400000000 | mov dword ptr [edx + 0x44], 0 // ff15???????? | $sequence_6 = { 85c0 744b 837d1410 7515 8d8df8fdffff 51 8b5510 } // n = 7, score = 100 // 85c0 | test eax, eax // 744b | je 0x4d // 837d1410 | cmp dword ptr [ebp + 0x14], 0x10 // 7515 | jne 0x17 // 8d8df8fdffff | lea ecx, [ebp - 0x208] // 51 | push ecx // 8b5510 | mov edx, dword ptr [ebp + 0x10] $sequence_7 = { 6a00 8b856cffffff 50 8b8d68ffffff 51 8b55bc 52 } // n = 7, score = 100 // 6a00 | push 0 // 8b856cffffff | mov eax, dword ptr [ebp - 0x94] // 50 | push eax // 8b8d68ffffff | mov ecx, dword ptr [ebp - 0x98] // 51 | push ecx // 8b55bc | mov edx, dword ptr [ebp - 0x44] // 52 | push edx $sequence_8 = { c78540f1ffffbce04300 c78544f1ffffc4e04300 c78548f1ffffcce04300 c7854cf1ffffd4e04300 c78550f1ffffe0e04300 c78554f1ffffece04300 c78558f1fffff4e04300 } // n = 7, score = 100 // c78540f1ffffbce04300 | mov dword ptr [ebp - 0xec0], 0x43e0bc // c78544f1ffffc4e04300 | mov dword ptr [ebp - 0xebc], 0x43e0c4 // c78548f1ffffcce04300 | mov dword ptr [ebp - 0xeb8], 0x43e0cc // c7854cf1ffffd4e04300 | mov dword ptr [ebp - 0xeb4], 0x43e0d4 // c78550f1ffffe0e04300 | mov dword ptr [ebp - 0xeb0], 0x43e0e0 // c78554f1ffffece04300 | mov dword ptr [ebp - 0xeac], 0x43e0ec // c78558f1fffff4e04300 | mov dword ptr [ebp - 0xea8], 0x43e0f4 $sequence_9 = { c785ace9ffff60ce4300 c785b0e9ffff68ce4300 c785b4e9ffff70ce4300 c785b8e9ffff78ce4300 } // n = 4, score = 100 // c785ace9ffff60ce4300 | mov dword ptr [ebp - 0x1654], 0x43ce60 // c785b0e9ffff68ce4300 | mov dword ptr [ebp - 0x1650], 0x43ce68 // c785b4e9ffff70ce4300 | mov dword ptr [ebp - 0x164c], 0x43ce70 // c785b8e9ffff78ce4300 | mov dword ptr [ebp - 0x1648], 0x43ce78 condition: 7 of them and filesize < 661504 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY