rule win_nikihttp_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nikihttp."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nikihttp"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ba9ff636ca e9???????? c78424900000006f000000 898424c0000000 8b842490000000 038424c0000000 888424d1000000 }
            // n = 7, score = 100
            //   ba9ff636ca           | arpl                word ptr [esp + 0x14], ax
            //   e9????????           |                     
            //   c78424900000006f000000     | dec    eax
            //   898424c0000000       | imul                edx, eax, 0x4ec4ec4f
            //   8b842490000000       | dec                 eax
            //   038424c0000000       | mov                 esi, edx
            //   888424d1000000       | dec                 eax

        $sequence_1 = { 8b6c2440 40886906 c744245067000000 bdde57ec52 0f1f8000000000 81fdde57ec52 740a }
            // n = 7, score = 100
            //   8b6c2440             | dec                 eax
            //   40886906             | mov                 eax, dword ptr [ebp + 0x78]
            //   c744245067000000     | dec                 eax
            //   bdde57ec52           | mov                 ecx, dword ptr [ebp + 0x1f8]
            //   0f1f8000000000       | dec                 eax
            //   81fdde57ec52         | sub                 esp, 0x20
            //   740a                 | dec                 eax

        $sequence_2 = { eb07 b90e73818d ebe7 c785c000000069000000 c785e800000033000000 b94880ffaa 662e0f1f840000000000 }
            // n = 7, score = 100
            //   eb07                 | cmp                 esi, 0x770fa608
            //   b90e73818d           | je                  0x19e
            //   ebe7                 | cmp                 esi, 0x6c9dfa65
            //   c785c000000069000000     | je    0x1ff
            //   c785e800000033000000     | cmp    esi, 0xfb52a623
            //   b94880ffaa           | cmp                 esi, 0xed79c022
            //   662e0f1f840000000000     | jne    0x2b6

        $sequence_3 = { 8b05???????? 8d50ff 0fafd0 f6c201 bae2cac19b 410f44d1 833d????????0a }
            // n = 7, score = 100
            //   8b05????????         |                     
            //   8d50ff               | mov                 dword ptr [esi + 8], ebx
            //   0fafd0               | mov                 ebx, 0xfa6d805a
            //   f6c201               | dec                 eax
            //   bae2cac19b           | mov                 ebx, dword ptr [esp + 0x10]
            //   410f44d1             | dec                 eax
            //   833d????????0a       |                     

        $sequence_4 = { b97ce72407 662e0f1f840000000000 6690 81f921011b60 0f8488feffff 81f97ce72407 75ec }
            // n = 7, score = 100
            //   b97ce72407           | mov                 ecx, 0x7fac4fa5
            //   662e0f1f840000000000     | dec    eax
            //   6690                 | lea                 edi, [esp + 0x258]
            //   81f921011b60         | mov                 word ptr [esp + 0x46], ax
            //   0f8488feffff         | mov                 ecx, 0xe4b676eb
            //   81f97ce72407         | cmp                 ecx, 0xe84edbad
            //   75ec                 | je                  0x537

        $sequence_5 = { baeefaca92 eba1 88842448010000 8a842448010000 046f 88842492010000 488d842493010000 }
            // n = 7, score = 100
            //   baeefaca92           | movzx               ecx, byte ptr [ebp + 0xec]
            //   eba1                 | mov                 ebx, 0x8f01ddc2
            //   88842448010000       | jne                 0x38e
            //   8a842448010000       | movzx               eax, byte ptr [ebp + 0xec]
            //   046f                 | add                 al, 0x1b
            //   88842492010000       | mov                 ebx, esi
            //   488d842493010000     | jmp                 0x38e

        $sequence_6 = { e8???????? 884604 4889d9 b253 e8???????? 884605 4889d9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   884604               | jg                  0x26e
            //   4889d9               | cmp                 ecx, 0xbb689c08
            //   b253                 | je                  0x362
            //   e8????????           |                     
            //   884605               | cmp                 ecx, 0xce38ed8c
            //   4889d9               | je                  0x2a2

        $sequence_7 = { bab24ff80a ebb3 c7859800000069000000 888588000000 8a8588000000 8b8d98000000 00c1 }
            // n = 7, score = 100
            //   bab24ff80a           | je                  0x4e3
            //   ebb3                 | cmp                 eax, 0xb3b17466
            //   c7859800000069000000     | jne    0x42a
            //   888588000000         | dec                 esp
            //   8a8588000000         | mov                 dword ptr [esp + 0x58], edi
            //   8b8d98000000         | dec                 eax
            //   00c1                 | mov                 esi, dword ptr [esp + 0x58]

        $sequence_8 = { bb5c2fdba5 b8d00d104b 41b8787aaae5 bae5e72c6e 0f1f4000 81fb777aaae5 7e28 }
            // n = 7, score = 100
            //   bb5c2fdba5           | nop                 
            //   b8d00d104b           | cmp                 edx, 0x67eead90
            //   41b8787aaae5         | je                  0x19f
            //   bae5e72c6e           | cmp                 edx, 0x332b6278
            //   0f1f4000             | jne                 0x1ce
            //   81fb777aaae5         | dec                 eax
            //   7e28                 | mov                 dword ptr [esp + 0x40], ecx

        $sequence_9 = { e9???????? 888424d0000000 8a8424d0000000 884706 488d5908 bae09a3ca6 0f1f4000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   888424d0000000       | cmp                 ebx, 0x51e6d515
            //   8a8424d0000000       | jne                 0x4f1
            //   884706               | mov                 dword ptr [esp + 0x64], 0x64
            //   488d5908             | mov                 ebx, 0x8c1fb0ff
            //   bae09a3ca6           | nop                 word ptr cs:[eax + eax]
            //   0f1f4000             | nop                 dword ptr [eax + eax]

    condition:
        7 of them and filesize < 2543616
}