There is no description at this point.
rule win_mokes_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.mokes." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff7708 e8???????? 83c404 57 e8???????? 83c404 5f } // n = 7, score = 100 // ff7708 | push dword ptr [edi + 8] // e8???????? | // 83c404 | add esp, 4 // 57 | push edi // e8???????? | // 83c404 | add esp, 4 // 5f | pop edi $sequence_1 = { ff7648 ff15???????? 8d442414 50 8d4e4c e8???????? ff7648 } // n = 7, score = 100 // ff7648 | push dword ptr [esi + 0x48] // ff15???????? | // 8d442414 | lea eax, dword ptr [esp + 0x14] // 50 | push eax // 8d4e4c | lea ecx, dword ptr [esi + 0x4c] // e8???????? | // ff7648 | push dword ptr [esi + 0x48] $sequence_2 = { f30f6f4ef2 f30f6f1407 660f6fc2 660f60d3 660f68c3 660f75c8 f30f6f46e2 } // n = 7, score = 100 // f30f6f4ef2 | movdqu xmm1, xmmword ptr [esi - 0xe] // f30f6f1407 | movdqu xmm2, xmmword ptr [edi + eax] // 660f6fc2 | movdqa xmm0, xmm2 // 660f60d3 | punpcklbw xmm2, xmm3 // 660f68c3 | punpckhbw xmm0, xmm3 // 660f75c8 | pcmpeqw xmm1, xmm0 // f30f6f46e2 | movdqu xmm0, xmmword ptr [esi - 0x1e] $sequence_3 = { ff36 ffd5 83c408 84c0 7509 83c6fc 39742424 } // n = 7, score = 100 // ff36 | push dword ptr [esi] // ffd5 | call ebp // 83c408 | add esp, 8 // 84c0 | test al, al // 7509 | jne 0xb // 83c6fc | add esi, -4 // 39742424 | cmp dword ptr [esp + 0x24], esi $sequence_4 = { f784244c08000000020000 0f8494020000 8b842470080000 85c0 0f8485020000 8bf0 8d4900 } // n = 7, score = 100 // f784244c08000000020000 | test dword ptr [esp + 0x84c], 0x200 // 0f8494020000 | je 0x29a // 8b842470080000 | mov eax, dword ptr [esp + 0x870] // 85c0 | test eax, eax // 0f8485020000 | je 0x28b // 8bf0 | mov esi, eax // 8d4900 | lea ecx, dword ptr [ecx] $sequence_5 = { f20f5ccb 0f82db000000 660f28c1 f20f58c3 660f2fc5 0f86c9000000 660f28c2 } // n = 7, score = 100 // f20f5ccb | subsd xmm1, xmm3 // 0f82db000000 | jb 0xe1 // 660f28c1 | movapd xmm0, xmm1 // f20f58c3 | addsd xmm0, xmm3 // 660f2fc5 | comisd xmm0, xmm5 // 0f86c9000000 | jbe 0xcf // 660f28c2 | movapd xmm0, xmm2 $sequence_6 = { f20f114230 f20f104340 f20f114238 f20f104348 f20f114240 334350 83e01f } // n = 7, score = 100 // f20f114230 | movsd qword ptr [edx + 0x30], xmm0 // f20f104340 | movsd xmm0, qword ptr [ebx + 0x40] // f20f114238 | movsd qword ptr [edx + 0x38], xmm0 // f20f104348 | movsd xmm0, qword ptr [ebx + 0x48] // f20f114240 | movsd qword ptr [edx + 0x40], xmm0 // 334350 | xor eax, dword ptr [ebx + 0x50] // 83e01f | and eax, 0x1f $sequence_7 = { f20f59e6 f20f58f8 8944240c f20f11542430 0f28c2 f20f59c5 f20f114c2450 } // n = 7, score = 100 // f20f59e6 | mulsd xmm4, xmm6 // f20f58f8 | addsd xmm7, xmm0 // 8944240c | mov dword ptr [esp + 0xc], eax // f20f11542430 | movsd qword ptr [esp + 0x30], xmm2 // 0f28c2 | movaps xmm0, xmm2 // f20f59c5 | mulsd xmm0, xmm5 // f20f114c2450 | movsd qword ptr [esp + 0x50], xmm1 $sequence_8 = { f30f7f7c2474 f20f11442414 f20f116c241c f20f11742424 e8???????? f20f10542410 8d442408 } // n = 7, score = 100 // f30f7f7c2474 | movdqu xmmword ptr [esp + 0x74], xmm7 // f20f11442414 | movsd qword ptr [esp + 0x14], xmm0 // f20f116c241c | movsd qword ptr [esp + 0x1c], xmm5 // f20f11742424 | movsd qword ptr [esp + 0x24], xmm6 // e8???????? | // f20f10542410 | movsd xmm2, qword ptr [esp + 0x10] // 8d442408 | lea eax, dword ptr [esp + 8] $sequence_9 = { f20f2cf8 897c2414 85c0 0f84ce040000 f20f1005???????? 8d5604 89542410 } // n = 7, score = 100 // f20f2cf8 | cvttsd2si edi, xmm0 // 897c2414 | mov dword ptr [esp + 0x14], edi // 85c0 | test eax, eax // 0f84ce040000 | je 0x4d4 // f20f1005???????? | // 8d5604 | lea edx, dword ptr [esi + 4] // 89542410 | mov dword ptr [esp + 0x10], edx condition: 7 of them and filesize < 17990656 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY