Ransomware, potential rebranding of win.sfile.
rule win_mindware_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.mindware." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 ff15???????? 8dbd48ffffff 32c0 b980000000 f3aa } // n = 6, score = 100 // 50 | push eax // ff15???????? | // 8dbd48ffffff | lea edi, [ebp - 0xb8] // 32c0 | xor al, al // b980000000 | mov ecx, 0x80 // f3aa | rep stosb byte ptr es:[edi], al $sequence_1 = { c78530e9ffffeccc4300 c78534e9fffff4cc4300 c78538e9ffff0ccd4300 c7853ce9ffff18cd4300 c78540e9ffff38cd4300 c78544e9ffff40cd4300 c78548e9ffff4ccd4300 } // n = 7, score = 100 // c78530e9ffffeccc4300 | mov dword ptr [ebp - 0x16d0], 0x43ccec // c78534e9fffff4cc4300 | mov dword ptr [ebp - 0x16cc], 0x43ccf4 // c78538e9ffff0ccd4300 | mov dword ptr [ebp - 0x16c8], 0x43cd0c // c7853ce9ffff18cd4300 | mov dword ptr [ebp - 0x16c4], 0x43cd18 // c78540e9ffff38cd4300 | mov dword ptr [ebp - 0x16c0], 0x43cd38 // c78544e9ffff40cd4300 | mov dword ptr [ebp - 0x16bc], 0x43cd40 // c78548e9ffff4ccd4300 | mov dword ptr [ebp - 0x16b8], 0x43cd4c $sequence_2 = { c7857cf4ffff24e94300 c78580f4ffff38e94300 c78584f4ffff40e94300 c78588f4ffff48e94300 c7858cf4ffff58e94300 } // n = 5, score = 100 // c7857cf4ffff24e94300 | mov dword ptr [ebp - 0xb84], 0x43e924 // c78580f4ffff38e94300 | mov dword ptr [ebp - 0xb80], 0x43e938 // c78584f4ffff40e94300 | mov dword ptr [ebp - 0xb7c], 0x43e940 // c78588f4ffff48e94300 | mov dword ptr [ebp - 0xb78], 0x43e948 // c7858cf4ffff58e94300 | mov dword ptr [ebp - 0xb74], 0x43e958 $sequence_3 = { c1e910 335808 0fb6c9 895df4 33148df0d04400 } // n = 5, score = 100 // c1e910 | shr ecx, 0x10 // 335808 | xor ebx, dword ptr [eax + 8] // 0fb6c9 | movzx ecx, cl // 895df4 | mov dword ptr [ebp - 0xc], ebx // 33148df0d04400 | xor edx, dword ptr [ecx*4 + 0x44d0f0] $sequence_4 = { 894dfc 89482c c1e918 897028 0fb699f0d84400 8b4dfc c1e910 } // n = 7, score = 100 // 894dfc | mov dword ptr [ebp - 4], ecx // 89482c | mov dword ptr [eax + 0x2c], ecx // c1e918 | shr ecx, 0x18 // 897028 | mov dword ptr [eax + 0x28], esi // 0fb699f0d84400 | movzx ebx, byte ptr [ecx + 0x44d8f0] // 8b4dfc | mov ecx, dword ptr [ebp - 4] // c1e910 | shr ecx, 0x10 $sequence_5 = { 0fb6c9 33148dc0c84400 335004 8b4dfc c1e908 8955e8 0fb6d1 } // n = 7, score = 100 // 0fb6c9 | movzx ecx, cl // 33148dc0c84400 | xor edx, dword ptr [ecx*4 + 0x44c8c0] // 335004 | xor edx, dword ptr [eax + 4] // 8b4dfc | mov ecx, dword ptr [ebp - 4] // c1e908 | shr ecx, 8 // 8955e8 | mov dword ptr [ebp - 0x18], edx // 0fb6d1 | movzx edx, cl $sequence_6 = { 8bec 837d0c00 764c e8???????? 0fb6c0 85c0 } // n = 6, score = 100 // 8bec | mov ebp, esp // 837d0c00 | cmp dword ptr [ebp + 0xc], 0 // 764c | jbe 0x4e // e8???????? | // 0fb6c0 | movzx eax, al // 85c0 | test eax, eax $sequence_7 = { 6a00 8b856cffffff 50 8b8d68ffffff 51 8b55bc 52 } // n = 7, score = 100 // 6a00 | push 0 // 8b856cffffff | mov eax, dword ptr [ebp - 0x94] // 50 | push eax // 8b8d68ffffff | mov ecx, dword ptr [ebp - 0x98] // 51 | push ecx // 8b55bc | mov edx, dword ptr [ebp - 0x44] // 52 | push edx $sequence_8 = { c78530e6ffff5cc54300 c78534e6ffff68c54300 c78538e6ffff70c54300 c7853ce6ffff78c54300 c78540e6ffff88c54300 c78544e6ffff90c54300 c78548e6ffffa0c54300 } // n = 7, score = 100 // c78530e6ffff5cc54300 | mov dword ptr [ebp - 0x19d0], 0x43c55c // c78534e6ffff68c54300 | mov dword ptr [ebp - 0x19cc], 0x43c568 // c78538e6ffff70c54300 | mov dword ptr [ebp - 0x19c8], 0x43c570 // c7853ce6ffff78c54300 | mov dword ptr [ebp - 0x19c4], 0x43c578 // c78540e6ffff88c54300 | mov dword ptr [ebp - 0x19c0], 0x43c588 // c78544e6ffff90c54300 | mov dword ptr [ebp - 0x19bc], 0x43c590 // c78548e6ffffa0c54300 | mov dword ptr [ebp - 0x19b8], 0x43c5a0 $sequence_9 = { 33d2 034dc8 1355cc 894dc8 8955cc e9???????? 8b45dc } // n = 7, score = 100 // 33d2 | xor edx, edx // 034dc8 | add ecx, dword ptr [ebp - 0x38] // 1355cc | adc edx, dword ptr [ebp - 0x34] // 894dc8 | mov dword ptr [ebp - 0x38], ecx // 8955cc | mov dword ptr [ebp - 0x34], edx // e9???????? | // 8b45dc | mov eax, dword ptr [ebp - 0x24] condition: 7 of them and filesize < 661504 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY