There is no description at this point.
rule win_mmon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.mmon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83feff 7e5b eb03 8b5508 0fbe1416 52 e8???????? } // n = 7, score = 100 // 83feff | cmp esi, -1 // 7e5b | jle 0x5d // eb03 | jmp 5 // 8b5508 | mov edx, dword ptr [ebp + 8] // 0fbe1416 | movsx edx, byte ptr [esi + edx] // 52 | push edx // e8???????? | $sequence_1 = { 3975e4 7303 8d45d0 8b8d54ffffff 8b11 8910 } // n = 6, score = 100 // 3975e4 | cmp dword ptr [ebp - 0x1c], esi // 7303 | jae 5 // 8d45d0 | lea eax, [ebp - 0x30] // 8b8d54ffffff | mov ecx, dword ptr [ebp - 0xac] // 8b11 | mov edx, dword ptr [ecx] // 8910 | mov dword ptr [eax], edx $sequence_2 = { 40 cd40 0064cd40 008ccd40008a46 0323 d188470383ee } // n = 6, score = 100 // 40 | inc eax // cd40 | int 0x40 // 0064cd40 | add byte ptr [ebp + ecx*8 + 0x40], ah // 008ccd40008a46 | add byte ptr [ebp + ecx*8 + 0x468a0040], cl // 0323 | add esp, dword ptr [ebx] // d188470383ee | ror dword ptr [eax - 0x117cfcb9], 1 $sequence_3 = { 899554ffffff 898548ffffff 8d642400 8a07 3c30 } // n = 5, score = 100 // 899554ffffff | mov dword ptr [ebp - 0xac], edx // 898548ffffff | mov dword ptr [ebp - 0xb8], eax // 8d642400 | lea esp, [esp] // 8a07 | mov al, byte ptr [edi] // 3c30 | cmp al, 0x30 $sequence_4 = { 50 ff15???????? ffd6 50 e8???????? 8b44241c } // n = 6, score = 100 // 50 | push eax // ff15???????? | // ffd6 | call esi // 50 | push eax // e8???????? | // 8b44241c | mov eax, dword ptr [esp + 0x1c] $sequence_5 = { 8b17 68???????? 51 52 } // n = 4, score = 100 // 8b17 | mov edx, dword ptr [edi] // 68???????? | // 51 | push ecx // 52 | push edx $sequence_6 = { ebd2 8bc3 c1f805 8d3c85606a4200 8bf3 83e61f c1e606 } // n = 7, score = 100 // ebd2 | jmp 0xffffffd4 // 8bc3 | mov eax, ebx // c1f805 | sar eax, 5 // 8d3c85606a4200 | lea edi, [eax*4 + 0x426a60] // 8bf3 | mov esi, ebx // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 $sequence_7 = { c7854cffffff00000000 b801000000 018554ffffff 018548ffffff 03f8 3bbd50ffffff } // n = 6, score = 100 // c7854cffffff00000000 | mov dword ptr [ebp - 0xb4], 0 // b801000000 | mov eax, 1 // 018554ffffff | add dword ptr [ebp - 0xac], eax // 018548ffffff | add dword ptr [ebp - 0xb8], eax // 03f8 | add edi, eax // 3bbd50ffffff | cmp edi, dword ptr [ebp - 0xb0] $sequence_8 = { 8b0d???????? 85c9 7406 8b55ec } // n = 4, score = 100 // 8b0d???????? | // 85c9 | test ecx, ecx // 7406 | je 8 // 8b55ec | mov edx, dword ptr [ebp - 0x14] $sequence_9 = { 6a00 8bf1 c745d000000000 ff15???????? 8bf8 33c0 4f } // n = 7, score = 100 // 6a00 | push 0 // 8bf1 | mov esi, ecx // c745d000000000 | mov dword ptr [ebp - 0x30], 0 // ff15???????? | // 8bf8 | mov edi, eax // 33c0 | xor eax, eax // 4f | dec edi condition: 7 of them and filesize < 356352 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY