Actor(s): Mirage
There is no description at this point.
rule win_mirage_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.mirage." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3bf8 740a 8a17 88540dc8 41 } // n = 5, score = 200 // 3bf8 | cmp edi, eax // 740a | je 0xc // 8a17 | mov dl, byte ptr [edi] // 88540dc8 | mov byte ptr [ebp + ecx - 0x38], dl // 41 | inc ecx $sequence_1 = { 8bd8 ffd6 2bc7 bf???????? 85db } // n = 5, score = 200 // 8bd8 | mov ebx, eax // ffd6 | call esi // 2bc7 | sub eax, edi // bf???????? | // 85db | test ebx, ebx $sequence_2 = { 6801000080 ff15???????? 85c0 7556 } // n = 4, score = 200 // 6801000080 | push 0x80000001 // ff15???????? | // 85c0 | test eax, eax // 7556 | jne 0x58 $sequence_3 = { 834dfcff 8d8dd0fcffff e8???????? e9???????? bf1c810000 3bf7 } // n = 6, score = 200 // 834dfcff | or dword ptr [ebp - 4], 0xffffffff // 8d8dd0fcffff | lea ecx, dword ptr [ebp - 0x330] // e8???????? | // e9???????? | // bf1c810000 | mov edi, 0x811c // 3bf7 | cmp esi, edi $sequence_4 = { ff15???????? e9???????? 834e20ff 8d7e04 6a19 } // n = 5, score = 200 // ff15???????? | // e9???????? | // 834e20ff | or dword ptr [esi + 0x20], 0xffffffff // 8d7e04 | lea edi, dword ptr [esi + 4] // 6a19 | push 0x19 $sequence_5 = { 2b4514 894518 57 e8???????? 59 c605????????03 c6450805 } // n = 7, score = 200 // 2b4514 | sub eax, dword ptr [ebp + 0x14] // 894518 | mov dword ptr [ebp + 0x18], eax // 57 | push edi // e8???????? | // 59 | pop ecx // c605????????03 | // c6450805 | mov byte ptr [ebp + 8], 5 $sequence_6 = { 81ec3c090000 53 56 8bf1 } // n = 4, score = 200 // 81ec3c090000 | sub esp, 0x93c // 53 | push ebx // 56 | push esi // 8bf1 | mov esi, ecx $sequence_7 = { c1e814 40 5b a3???????? c9 } // n = 5, score = 200 // c1e814 | shr eax, 0x14 // 40 | inc eax // 5b | pop ebx // a3???????? | // c9 | leave $sequence_8 = { 6a07 50 68???????? e8???????? 83c418 } // n = 5, score = 200 // 6a07 | push 7 // 50 | push eax // 68???????? | // e8???????? | // 83c418 | add esp, 0x18 $sequence_9 = { 50 53 68???????? c745f804010000 ff75fc ff15???????? ff75fc } // n = 7, score = 200 // 50 | push eax // 53 | push ebx // 68???????? | // c745f804010000 | mov dword ptr [ebp - 8], 0x104 // ff75fc | push dword ptr [ebp - 4] // ff15???????? | // ff75fc | push dword ptr [ebp - 4] $sequence_10 = { ff15???????? 668365c000 6a09 59 } // n = 4, score = 100 // ff15???????? | // 668365c000 | and word ptr [ebp - 0x40], 0 // 6a09 | push 9 // 59 | pop ecx $sequence_11 = { 50 6800000080 c745cc0c000000 ff7508 8975d0 8945d4 ff15???????? } // n = 7, score = 100 // 50 | push eax // 6800000080 | push 0x80000000 // c745cc0c000000 | mov dword ptr [ebp - 0x34], 0xc // ff7508 | push dword ptr [ebp + 8] // 8975d0 | mov dword ptr [ebp - 0x30], esi // 8945d4 | mov dword ptr [ebp - 0x2c], eax // ff15???????? | $sequence_12 = { 85c0 a3???????? 747a 68???????? 56 } // n = 5, score = 100 // 85c0 | test eax, eax // a3???????? | // 747a | je 0x7c // 68???????? | // 56 | push esi $sequence_13 = { 7413 f685f8f5ffff10 740a 53 56 ff15???????? eb07 } // n = 7, score = 100 // 7413 | je 0x15 // f685f8f5ffff10 | test byte ptr [ebp - 0xa08], 0x10 // 740a | je 0xc // 53 | push ebx // 56 | push esi // ff15???????? | // eb07 | jmp 9 $sequence_14 = { ff15???????? 8d55f0 8365e800 52 8365f800 8d55f0 } // n = 6, score = 100 // ff15???????? | // 8d55f0 | lea edx, dword ptr [ebp - 0x10] // 8365e800 | and dword ptr [ebp - 0x18], 0 // 52 | push edx // 8365f800 | and dword ptr [ebp - 8], 0 // 8d55f0 | lea edx, dword ptr [ebp - 0x10] $sequence_15 = { 8d85f0e6ffff 57 50 8d8514f3ffff 6aff 50 53 } // n = 7, score = 100 // 8d85f0e6ffff | lea eax, dword ptr [ebp - 0x1910] // 57 | push edi // 50 | push eax // 8d8514f3ffff | lea eax, dword ptr [ebp - 0xcec] // 6aff | push -1 // 50 | push eax // 53 | push ebx condition: 7 of them and filesize < 1695744 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY