There is no description at this point.
rule win_nagini_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.nagini." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0131 1f 0031 1f 003422 0337 } // n = 6, score = 100 // 0131 | add dword ptr [ecx], esi // 1f | pop ds // 0031 | add byte ptr [ecx], dh // 1f | pop ds // 003422 | add byte ptr [edx], dh // 0337 | add esi, dword ptr [edi] $sequence_1 = { a3???????? eb18 6a00 6a00 6a00 6a00 } // n = 6, score = 100 // a3???????? | // eb18 | jmp 0x1a // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_2 = { 83c408 85c0 0f8510010000 837c242808 8d442414 68???????? } // n = 6, score = 100 // 83c408 | add esp, 8 // 85c0 | test eax, eax // 0f8510010000 | jne 0x116 // 837c242808 | cmp dword ptr [esp + 0x28], 8 // 8d442414 | lea eax, [esp + 0x14] // 68???????? | $sequence_3 = { 3422 0536240538 27 06 37 260537260535 230434 } // n = 7, score = 100 // 3422 | xor al, 0x22 // 0536240538 | add eax, 0x38052436 // 27 | daa // 06 | push es // 37 | aaa // 260537260535 | add eax, 0x35052637 // 230434 | and eax, dword ptr [esp + esi] $sequence_4 = { 0a06 1408 0412 06 } // n = 4, score = 100 // 0a06 | or al, byte ptr [esi] // 1408 | adc al, 8 // 0412 | add al, 0x12 // 06 | push es $sequence_5 = { 720e 4e 42 0fb606 80b87081420000 74e9 8b5ddc } // n = 7, score = 100 // 720e | jb 0x10 // 4e | dec esi // 42 | inc edx // 0fb606 | movzx eax, byte ptr [esi] // 80b87081420000 | cmp byte ptr [eax + 0x428170], 0 // 74e9 | je 0xffffffeb // 8b5ddc | mov ebx, dword ptr [ebp - 0x24] $sequence_6 = { 668944246c a0???????? 8844246e 8a4701 8d7f01 } // n = 5, score = 100 // 668944246c | mov word ptr [esp + 0x6c], ax // a0???????? | // 8844246e | mov byte ptr [esp + 0x6e], al // 8a4701 | mov al, byte ptr [edi + 1] // 8d7f01 | lea edi, [edi + 1] $sequence_7 = { 6689442444 0f8238020000 ff74242c e8???????? 83c404 e9???????? } // n = 6, score = 100 // 6689442444 | mov word ptr [esp + 0x44], ax // 0f8238020000 | jb 0x23e // ff74242c | push dword ptr [esp + 0x2c] // e8???????? | // 83c404 | add esp, 4 // e9???????? | $sequence_8 = { 0f835ffbffff 03f3 03d3 83fb1f 0f8715040000 ff249da0c64000 } // n = 6, score = 100 // 0f835ffbffff | jae 0xfffffb65 // 03f3 | add esi, ebx // 03d3 | add edx, ebx // 83fb1f | cmp ebx, 0x1f // 0f8715040000 | ja 0x41b // ff249da0c64000 | jmp dword ptr [ebx*4 + 0x40c6a0] $sequence_9 = { b3ac 98 b7b0 9c } // n = 4, score = 100 // b3ac | mov bl, 0xac // 98 | cwde // b7b0 | mov bh, 0xb0 // 9c | pushfd condition: 7 of them and filesize < 12820480 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY