Ransomware.
rule win_phobos_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.phobos." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6aff ff7704 ff15???????? ff742418 ffd6 ff742410 e8???????? } // n = 7, score = 100 // 6aff | push -1 // ff7704 | push dword ptr [edi + 4] // ff15???????? | // ff742418 | push dword ptr [esp + 0x18] // ffd6 | call esi // ff742410 | push dword ptr [esp + 0x10] // e8???????? | $sequence_1 = { 8b0e 2bd0 52 8bd0 2bc1 2b4614 2bd1 } // n = 7, score = 100 // 8b0e | mov ecx, dword ptr [esi] // 2bd0 | sub edx, eax // 52 | push edx // 8bd0 | mov edx, eax // 2bc1 | sub eax, ecx // 2b4614 | sub eax, dword ptr [esi + 0x14] // 2bd1 | sub edx, ecx $sequence_2 = { 85c0 7405 83c002 5d c3 8b4508 5d } // n = 7, score = 100 // 85c0 | test eax, eax // 7405 | je 7 // 83c002 | add eax, 2 // 5d | pop ebp // c3 | ret // 8b4508 | mov eax, dword ptr [ebp + 8] // 5d | pop ebp $sequence_3 = { 8b7df8 eb1b 0fb707 6685c0 7418 e8???????? 663bd0 } // n = 7, score = 100 // 8b7df8 | mov edi, dword ptr [ebp - 8] // eb1b | jmp 0x1d // 0fb707 | movzx eax, word ptr [edi] // 6685c0 | test ax, ax // 7418 | je 0x1a // e8???????? | // 663bd0 | cmp dx, ax $sequence_4 = { 8d4701 99 2bc2 d1f8 8bd9 e8???????? 8bf0 } // n = 7, score = 100 // 8d4701 | lea eax, dword ptr [edi + 1] // 99 | cdq // 2bc2 | sub eax, edx // d1f8 | sar eax, 1 // 8bd9 | mov ebx, ecx // e8???????? | // 8bf0 | mov esi, eax $sequence_5 = { 743f 8d855cfdffff 8d8d4cfbffff e8???????? 85c0 8b45e8 7409 } // n = 7, score = 100 // 743f | je 0x41 // 8d855cfdffff | lea eax, dword ptr [ebp - 0x2a4] // 8d8d4cfbffff | lea ecx, dword ptr [ebp - 0x4b4] // e8???????? | // 85c0 | test eax, eax // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 7409 | je 0xb $sequence_6 = { 74ee 8b36 53 ff15???????? 5f 8bc6 5e } // n = 7, score = 100 // 74ee | je 0xfffffff0 // 8b36 | mov esi, dword ptr [esi] // 53 | push ebx // ff15???????? | // 5f | pop edi // 8bc6 | mov eax, esi // 5e | pop esi $sequence_7 = { eb37 33ff eb33 8b06 } // n = 4, score = 100 // eb37 | jmp 0x39 // 33ff | xor edi, edi // eb33 | jmp 0x35 // 8b06 | mov eax, dword ptr [esi] $sequence_8 = { 8bf0 8d45f4 8945e8 8b450c 8d5df4 c745e464934000 897dec } // n = 7, score = 100 // 8bf0 | mov esi, eax // 8d45f4 | lea eax, dword ptr [ebp - 0xc] // 8945e8 | mov dword ptr [ebp - 0x18], eax // 8b450c | mov eax, dword ptr [ebp + 0xc] // 8d5df4 | lea ebx, dword ptr [ebp - 0xc] // c745e464934000 | mov dword ptr [ebp - 0x1c], 0x409364 // 897dec | mov dword ptr [ebp - 0x14], edi $sequence_9 = { 7409 c7450c0a000000 eb36 8a06 3c78 740d 3c58 } // n = 7, score = 100 // 7409 | je 0xb // c7450c0a000000 | mov dword ptr [ebp + 0xc], 0xa // eb36 | jmp 0x38 // 8a06 | mov al, byte ptr [esi] // 3c78 | cmp al, 0x78 // 740d | je 0xf // 3c58 | cmp al, 0x58 condition: 7 of them and filesize < 139264 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY