There is no description at this point.
rule win_mokes_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.mokes." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff742424 ff15???????? 8bf8 885e11 85ff 7442 0fb7742418 } // n = 7, score = 400 // ff742424 | push dword ptr [esp + 0x24] // ff15???????? | // 8bf8 | mov edi, eax // 885e11 | mov byte ptr [esi + 0x11], bl // 85ff | test edi, edi // 7442 | je 0x44 // 0fb7742418 | movzx esi, word ptr [esp + 0x18] $sequence_1 = { ff5014 85c0 741d 8b06 8d4c2404 51 56 } // n = 7, score = 400 // ff5014 | call dword ptr [eax + 0x14] // 85c0 | test eax, eax // 741d | je 0x1f // 8b06 | mov eax, dword ptr [esi] // 8d4c2404 | lea ecx, [esp + 4] // 51 | push ecx // 56 | push esi $sequence_2 = { f6c310 741b 8b44243c 83e3ef 8bcf f00fc108 750c } // n = 7, score = 400 // f6c310 | test bl, 0x10 // 741b | je 0x1d // 8b44243c | mov eax, dword ptr [esp + 0x3c] // 83e3ef | and ebx, 0xffffffef // 8bcf | mov ecx, edi // f00fc108 | lock xadd dword ptr [eax], ecx // 750c | jne 0xe $sequence_3 = { f6460804 7445 8d442410 8bcb 50 e8???????? 8b0e } // n = 7, score = 400 // f6460804 | test byte ptr [esi + 8], 4 // 7445 | je 0x47 // 8d442410 | lea eax, [esp + 0x10] // 8bcb | mov ecx, ebx // 50 | push eax // e8???????? | // 8b0e | mov ecx, dword ptr [esi] $sequence_4 = { ff5208 8b460c 43 8b4e08 2bc1 3bd8 7ce3 } // n = 7, score = 400 // ff5208 | call dword ptr [edx + 8] // 8b460c | mov eax, dword ptr [esi + 0xc] // 43 | inc ebx // 8b4e08 | mov ecx, dword ptr [esi + 8] // 2bc1 | sub eax, ecx // 3bd8 | cmp ebx, eax // 7ce3 | jl 0xffffffe5 $sequence_5 = { ff742410 e8???????? 8d4c2408 e8???????? 8bc7 5f 5e } // n = 7, score = 400 // ff742410 | push dword ptr [esp + 0x10] // e8???????? | // 8d4c2408 | lea ecx, [esp + 8] // e8???????? | // 8bc7 | mov eax, edi // 5f | pop edi // 5e | pop esi $sequence_6 = { ff742418 8d44245c 50 8b422c ffd0 f30f6f00 f30f7f442420 } // n = 7, score = 400 // ff742418 | push dword ptr [esp + 0x18] // 8d44245c | lea eax, [esp + 0x5c] // 50 | push eax // 8b422c | mov eax, dword ptr [edx + 0x2c] // ffd0 | call eax // f30f6f00 | movdqu xmm0, xmmword ptr [eax] // f30f7f442420 | movdqu xmmword ptr [esp + 0x20], xmm0 $sequence_7 = { f6c201 7424 83e2fe 89542424 85ff 7419 83c8ff } // n = 7, score = 400 // f6c201 | test dl, 1 // 7424 | je 0x26 // 83e2fe | and edx, 0xfffffffe // 89542424 | mov dword ptr [esp + 0x24], edx // 85ff | test edi, edi // 7419 | je 0x1b // 83c8ff | or eax, 0xffffffff $sequence_8 = { f20f11442418 f20f104310 f20f11442420 f20f104308 f20f11442428 e8???????? f20f104c2428 } // n = 7, score = 400 // f20f11442418 | movsd qword ptr [esp + 0x18], xmm0 // f20f104310 | movsd xmm0, qword ptr [ebx + 0x10] // f20f11442420 | movsd qword ptr [esp + 0x20], xmm0 // f20f104308 | movsd xmm0, qword ptr [ebx + 8] // f20f11442428 | movsd qword ptr [esp + 0x28], xmm0 // e8???????? | // f20f104c2428 | movsd xmm1, qword ptr [esp + 0x28] $sequence_9 = { f60080 7543 8d4e08 c744243000000000 e8???????? 8b0d???????? 33d2 } // n = 7, score = 400 // f60080 | test byte ptr [eax], 0x80 // 7543 | jne 0x45 // 8d4e08 | lea ecx, [esi + 8] // c744243000000000 | mov dword ptr [esp + 0x30], 0 // e8???????? | // 8b0d???????? | // 33d2 | xor edx, edx condition: 7 of them and filesize < 18505728 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY