Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.
rule win_olympic_destroyer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 33c0 89542414 57 } // n = 4, score = 200 // 56 | push esi // 33c0 | xor eax, eax // 89542414 | mov dword ptr [esp + 0x14], edx // 57 | push edi $sequence_1 = { 8bd8 83c404 85db 751c ff74240c ba01000000 } // n = 6, score = 100 // 8bd8 | mov ebx, eax // 83c404 | add esp, 4 // 85db | test ebx, ebx // 751c | jne 0x1e // ff74240c | push dword ptr [esp + 0xc] // ba01000000 | mov edx, 1 $sequence_2 = { 53 ff15???????? 85c0 7434 8b85e4efffff } // n = 5, score = 100 // 53 | push ebx // ff15???????? | // 85c0 | test eax, eax // 7434 | je 0x36 // 8b85e4efffff | mov eax, dword ptr [ebp - 0x101c] $sequence_3 = { 8b81b8a95500 8b1406 85d2 7455 668b81c0a95500 662b81bca95500 6603c2 } // n = 7, score = 100 // 8b81b8a95500 | mov eax, dword ptr [ecx + 0x55a9b8] // 8b1406 | mov edx, dword ptr [esi + eax] // 85d2 | test edx, edx // 7455 | je 0x57 // 668b81c0a95500 | mov ax, word ptr [ecx + 0x55a9c0] // 662b81bca95500 | sub ax, word ptr [ecx + 0x55a9bc] // 6603c2 | add ax, dx $sequence_4 = { 8d4dfc 51 56 56 6a03 683f010000 50 } // n = 7, score = 100 // 8d4dfc | lea ecx, [ebp - 4] // 51 | push ecx // 56 | push esi // 56 | push esi // 6a03 | push 3 // 683f010000 | push 0x13f // 50 | push eax $sequence_5 = { 6bc030 59 59 0304b560ee5500 eb02 8bc3 } // n = 6, score = 100 // 6bc030 | imul eax, eax, 0x30 // 59 | pop ecx // 59 | pop ecx // 0304b560ee5500 | add eax, dword ptr [esi*4 + 0x55ee60] // eb02 | jmp 4 // 8bc3 | mov eax, ebx $sequence_6 = { 6a03 56 56 6800000040 50 89b5f8efffff } // n = 6, score = 100 // 6a03 | push 3 // 56 | push esi // 56 | push esi // 6800000040 | push 0x40000000 // 50 | push eax // 89b5f8efffff | mov dword ptr [ebp - 0x1008], esi $sequence_7 = { 57 8d4ddc 51 8d4df4 51 8d4dfc } // n = 6, score = 100 // 57 | push edi // 8d4ddc | lea ecx, [ebp - 0x24] // 51 | push ecx // 8d4df4 | lea ecx, [ebp - 0xc] // 51 | push ecx // 8d4dfc | lea ecx, [ebp - 4] $sequence_8 = { 42 83c014 3b9688000000 7ce3 c7470400000000 ff4704 8b4708 } // n = 7, score = 100 // 42 | inc edx // 83c014 | add eax, 0x14 // 3b9688000000 | cmp edx, dword ptr [esi + 0x88] // 7ce3 | jl 0xffffffe5 // c7470400000000 | mov dword ptr [edi + 4], 0 // ff4704 | inc dword ptr [edi + 4] // 8b4708 | mov eax, dword ptr [edi + 8] $sequence_9 = { 50 ffd3 8b7608 8bf8 8b44245c 83ee08 83c00c } // n = 7, score = 100 // 50 | push eax // ffd3 | call ebx // 8b7608 | mov esi, dword ptr [esi + 8] // 8bf8 | mov edi, eax // 8b44245c | mov eax, dword ptr [esp + 0x5c] // 83ee08 | sub esi, 8 // 83c00c | add eax, 0xc $sequence_10 = { 89442410 85c0 7438 8d4508 8bd7 } // n = 5, score = 100 // 89442410 | mov dword ptr [esp + 0x10], eax // 85c0 | test eax, eax // 7438 | je 0x3a // 8d4508 | lea eax, [ebp + 8] // 8bd7 | mov edx, edi $sequence_11 = { 750f 837e3800 750f 8bd6 8bcb } // n = 5, score = 100 // 750f | jne 0x11 // 837e3800 | cmp dword ptr [esi + 0x38], 0 // 750f | jne 0x11 // 8bd6 | mov edx, esi // 8bcb | mov ecx, ebx $sequence_12 = { 7316 8b811c010000 8906 ff8908010000 89b11c010000 5e } // n = 6, score = 100 // 7316 | jae 0x18 // 8b811c010000 | mov eax, dword ptr [ecx + 0x11c] // 8906 | mov dword ptr [esi], eax // ff8908010000 | dec dword ptr [ecx + 0x108] // 89b11c010000 | mov dword ptr [ecx + 0x11c], esi // 5e | pop esi $sequence_13 = { 8d0cbf 8b4658 c704880d000000 c744880400000000 c744880800000000 c744880c00000000 c744881000000000 } // n = 7, score = 100 // 8d0cbf | lea ecx, [edi + edi*4] // 8b4658 | mov eax, dword ptr [esi + 0x58] // c704880d000000 | mov dword ptr [eax + ecx*4], 0xd // c744880400000000 | mov dword ptr [eax + ecx*4 + 4], 0 // c744880800000000 | mov dword ptr [eax + ecx*4 + 8], 0 // c744880c00000000 | mov dword ptr [eax + ecx*4 + 0xc], 0 // c744881000000000 | mov dword ptr [eax + ecx*4 + 0x10], 0 $sequence_14 = { 57 8d44241c 50 ff7508 33ff } // n = 5, score = 100 // 57 | push edi // 8d44241c | lea eax, [esp + 0x1c] // 50 | push eax // ff7508 | push dword ptr [ebp + 8] // 33ff | xor edi, edi $sequence_15 = { 8b0402 89842488000000 8b0411 8984248c000000 8b441104 89842490000000 8b4728 } // n = 7, score = 100 // 8b0402 | mov eax, dword ptr [edx + eax] // 89842488000000 | mov dword ptr [esp + 0x88], eax // 8b0411 | mov eax, dword ptr [ecx + edx] // 8984248c000000 | mov dword ptr [esp + 0x8c], eax // 8b441104 | mov eax, dword ptr [ecx + edx + 4] // 89842490000000 | mov dword ptr [esp + 0x90], eax // 8b4728 | mov eax, dword ptr [edi + 0x28] $sequence_16 = { 8b4004 8b4020 894508 89460c 8b45f8 895618 } // n = 6, score = 100 // 8b4004 | mov eax, dword ptr [eax + 4] // 8b4020 | mov eax, dword ptr [eax + 0x20] // 894508 | mov dword ptr [ebp + 8], eax // 89460c | mov dword ptr [esi + 0xc], eax // 8b45f8 | mov eax, dword ptr [ebp - 8] // 895618 | mov dword ptr [esi + 0x18], edx $sequence_17 = { 8d85f8efffff 56 50 8bd9 89b5e4efffff 89b5f0efffff 89b5f4efffff } // n = 7, score = 100 // 8d85f8efffff | lea eax, [ebp - 0x1008] // 56 | push esi // 50 | push eax // 8bd9 | mov ebx, ecx // 89b5e4efffff | mov dword ptr [ebp - 0x101c], esi // 89b5f0efffff | mov dword ptr [ebp - 0x1010], esi // 89b5f4efffff | mov dword ptr [ebp - 0x100c], esi $sequence_18 = { 7515 8b45fc 817848f8d45500 7409 ff7048 } // n = 5, score = 100 // 7515 | jne 0x17 // 8b45fc | mov eax, dword ptr [ebp - 4] // 817848f8d45500 | cmp dword ptr [eax + 0x48], 0x55d4f8 // 7409 | je 0xb // ff7048 | push dword ptr [eax + 0x48] $sequence_19 = { ba12000000 8bce e8???????? 83c40c eb32 8b7c2430 8d4101 } // n = 7, score = 100 // ba12000000 | mov edx, 0x12 // 8bce | mov ecx, esi // e8???????? | // 83c40c | add esp, 0xc // eb32 | jmp 0x34 // 8b7c2430 | mov edi, dword ptr [esp + 0x30] // 8d4101 | lea eax, [ecx + 1] $sequence_20 = { 8b442420 ff7004 ff30 e8???????? 83c41c b9ffffffff } // n = 6, score = 100 // 8b442420 | mov eax, dword ptr [esp + 0x20] // ff7004 | push dword ptr [eax + 4] // ff30 | push dword ptr [eax] // e8???????? | // 83c41c | add esp, 0x1c // b9ffffffff | mov ecx, 0xffffffff $sequence_21 = { 81f900100000 7605 b900100000 56 8d85e4efffff 50 51 } // n = 7, score = 100 // 81f900100000 | cmp ecx, 0x1000 // 7605 | jbe 7 // b900100000 | mov ecx, 0x1000 // 56 | push esi // 8d85e4efffff | lea eax, [ebp - 0x101c] // 50 | push eax // 51 | push ecx $sequence_22 = { ffb590f9ffff ffd3 f68594f9ffff10 743b 8b3d???????? 68???????? } // n = 6, score = 100 // ffb590f9ffff | push dword ptr [ebp - 0x670] // ffd3 | call ebx // f68594f9ffff10 | test byte ptr [ebp - 0x66c], 0x10 // 743b | je 0x3d // 8b3d???????? | // 68???????? | condition: 7 of them and filesize < 1392640 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY