rule win_mozart_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mozart."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7c26 80fb39 7f21 885c3418 46 }
            // n = 5, score = 200
            //   7c26                 | jl                  0x28
            //   80fb39               | cmp                 bl, 0x39
            //   7f21                 | jg                  0x23
            //   885c3418             | mov                 byte ptr [esp + esi + 0x18], bl
            //   46                   | inc                 esi

        $sequence_1 = { 66ab e8???????? 8d44242c 50 e8???????? 8d8c2430010000 51 }
            // n = 7, score = 200
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   e8????????           |                     
            //   8d44242c             | lea                 eax, [esp + 0x2c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8c2430010000       | lea                 ecx, [esp + 0x130]
            //   51                   | push                ecx

        $sequence_2 = { c1f805 8d1c85c0db4000 8b03 8bf1 83e61f c1e603 8a443004 }
            // n = 7, score = 200
            //   c1f805               | sar                 eax, 5
            //   8d1c85c0db4000       | lea                 ebx, [eax*4 + 0x40dbc0]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8bf1                 | mov                 esi, ecx
            //   83e61f               | and                 esi, 0x1f
            //   c1e603               | shl                 esi, 3
            //   8a443004             | mov                 al, byte ptr [eax + esi + 4]

        $sequence_3 = { 49 7438 49 7471 c1e006 0bc7 }
            // n = 6, score = 200
            //   49                   | dec                 ecx
            //   7438                 | je                  0x3a
            //   49                   | dec                 ecx
            //   7471                 | je                  0x73
            //   c1e006               | shl                 eax, 6
            //   0bc7                 | or                  eax, edi

        $sequence_4 = { 55 8bec 83e4f8 81ec20020000 a1???????? 8b0d???????? 668b15???????? }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8
            //   81ec20020000         | sub                 esp, 0x220
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   668b15????????       |                     

        $sequence_5 = { 8bf0 83e61f 8d3c8dc0db4000 8b0f c1e603 f644310401 7455 }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   83e61f               | and                 esi, 0x1f
            //   8d3c8dc0db4000       | lea                 edi, [ecx*4 + 0x40dbc0]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   c1e603               | shl                 esi, 3
            //   f644310401           | test                byte ptr [ecx + esi + 4], 1
            //   7455                 | je                  0x57

        $sequence_6 = { 8a08 40 84c9 75f9 8b8c2420100000 }
            // n = 5, score = 200
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84c9                 | test                cl, cl
            //   75f9                 | jne                 0xfffffffb
            //   8b8c2420100000       | mov                 ecx, dword ptr [esp + 0x1020]

        $sequence_7 = { 2bc7 3bf0 7202 33f6 8bc5 43 42 }
            // n = 7, score = 200
            //   2bc7                 | sub                 eax, edi
            //   3bf0                 | cmp                 esi, eax
            //   7202                 | jb                  4
            //   33f6                 | xor                 esi, esi
            //   8bc5                 | mov                 eax, ebp
            //   43                   | inc                 ebx
            //   42                   | inc                 edx

        $sequence_8 = { 8b0a 83c502 3be9 7728 }
            // n = 4, score = 200
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   83c502               | add                 ebp, 2
            //   3be9                 | cmp                 ebp, ecx
            //   7728                 | ja                  0x2a

        $sequence_9 = { 751a 84c0 7426 8b5608 47 }
            // n = 5, score = 200
            //   751a                 | jne                 0x1c
            //   84c0                 | test                al, al
            //   7426                 | je                  0x28
            //   8b5608               | mov                 edx, dword ptr [esi + 8]
            //   47                   | inc                 edi

    condition:
        7 of them and filesize < 114688
}

rule win_mozart_w0 {
    meta:
        author = "Nick Hoffman"
        description = "Detects samples of the Mozart POS RAM scraping utility"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart"
        malpedia_version = "20180125"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $pdb = "z:\\Slender\\mozart\\mozart\\Release\\mozart.pdb" nocase wide ascii
        $output = {67 61 72 62 61 67 65 2E 74 6D 70 00}
        $service_name = "NCR SelfServ Platform Remote Monitor" nocase wide ascii
        $service_name_short = "NCR_RemoteMonitor"
        $encode_data = {B8 08 10 00 00 E8 ?? ?? ?? ?? A1 ?? ?? ?? ?? 53 55 8B AC 24 14 10 00 00 89 84 24 0C 10 00 00 56 8B C5 33 F6 33 DB 8D 50 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C2 89 44 24 0C ?? ?? 8B 94 24 1C 10 00 00 57 8B FD 2B FA 89 7C 24 10 ?? ?? 8B 7C 24 10 8A 04 17 02 86 E0 BA 40 00 88 02 B8 ?? ?? ?? ?? 46 8D 78 01 8D A4 24 00 00 00 00 8A 08 40 84 C9 ?? ?? 2B C7 3B F0 ?? ?? 33 F6 8B C5 43 42 8D 78 01 8A 08 40 84 C9 ?? ?? 2B C7 3B D8 ?? ?? 5F 8B B4 24 1C 10 00 00 8B C5 C6 04 33 00 8D 50 01 8A 08 40 84 C9 ?? ?? 8B 8C 24 20 10 00 00 2B C2 51 8D 54 24 14 52 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B D6 5E 8D 44 24 0C 8B C8 5D 2B D1 5B 8A 08 88 0C 02 40 84 C9 ?? ?? 8B 8C 24 04 10 00 00 E8 ?? ?? ?? ?? 81 C4 08 10 00 00}
    condition:
        any of ($pdb, $output, $encode_data) or
        all of ($service*)
}