Actor(s): Gamaredon Group, Operation Armageddon
There is no description at this point.
rule win_pteranodon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.pteranodon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6bc830 881f 8b0495b8690310 f644082880 7507 } // n = 5, score = 100 // 6bc830 | imul ecx, eax, 0x30 // 881f | mov byte ptr [edi], bl // 8b0495b8690310 | mov eax, dword ptr [edx*4 + 0x100369b8] // f644082880 | test byte ptr [eax + ecx + 0x28], 0x80 // 7507 | jne 9 $sequence_1 = { 8bcb c645fc03 8d5102 660f1f440000 668b01 } // n = 5, score = 100 // 8bcb | mov ecx, ebx // c645fc03 | mov byte ptr [ebp - 4], 3 // 8d5102 | lea edx, [ecx + 2] // 660f1f440000 | nop word ptr [eax + eax] // 668b01 | mov ax, word ptr [ecx] $sequence_2 = { 83c418 03d8 13fa eb0c 039d88feffff 13bd84feffff } // n = 6, score = 100 // 83c418 | add esp, 0x18 // 03d8 | add ebx, eax // 13fa | adc edi, edx // eb0c | jmp 0xe // 039d88feffff | add ebx, dword ptr [ebp - 0x178] // 13bd84feffff | adc edi, dword ptr [ebp - 0x17c] $sequence_3 = { 6bc038 03048de0874300 50 ff15???????? 5d c3 } // n = 6, score = 100 // 6bc038 | imul eax, eax, 0x38 // 03048de0874300 | add eax, dword ptr [ecx*4 + 0x4387e0] // 50 | push eax // ff15???????? | // 5d | pop ebp // c3 | ret $sequence_4 = { c70021000000 eb44 c745e002000000 c745e4e4c14200 8b4508 8bcf 8b7510 } // n = 7, score = 100 // c70021000000 | mov dword ptr [eax], 0x21 // eb44 | jmp 0x46 // c745e002000000 | mov dword ptr [ebp - 0x20], 2 // c745e4e4c14200 | mov dword ptr [ebp - 0x1c], 0x42c1e4 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8bcf | mov ecx, edi // 8b7510 | mov esi, dword ptr [ebp + 0x10] $sequence_5 = { 8b01 85c0 0f84309e0000 83f808 } // n = 4, score = 100 // 8b01 | mov eax, dword ptr [ecx] // 85c0 | test eax, eax // 0f84309e0000 | je 0x9e36 // 83f808 | cmp eax, 8 $sequence_6 = { 6bc038 03048de0874300 eb05 b8???????? f6402820 } // n = 5, score = 100 // 6bc038 | imul eax, eax, 0x38 // 03048de0874300 | add eax, dword ptr [ecx*4 + 0x4387e0] // eb05 | jmp 7 // b8???????? | // f6402820 | test byte ptr [eax + 0x28], 0x20 $sequence_7 = { c78504f9ffff0f000000 c78500f9ffff00000000 c685f0f8ffff00 83f810 7213 40 8d8dc0f8ffff } // n = 7, score = 100 // c78504f9ffff0f000000 | mov dword ptr [ebp - 0x6fc], 0xf // c78500f9ffff00000000 | mov dword ptr [ebp - 0x700], 0 // c685f0f8ffff00 | mov byte ptr [ebp - 0x710], 0 // 83f810 | cmp eax, 0x10 // 7213 | jb 0x15 // 40 | inc eax // 8d8dc0f8ffff | lea ecx, [ebp - 0x740] $sequence_8 = { 50 e8???????? 8b4de0 8d0437 83c40c } // n = 5, score = 100 // 50 | push eax // e8???????? | // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] // 8d0437 | lea eax, [edi + esi] // 83c40c | add esp, 0xc $sequence_9 = { 33c0 53 668906 ff75c0 8935???????? ff75bc 68???????? } // n = 7, score = 100 // 33c0 | xor eax, eax // 53 | push ebx // 668906 | mov word ptr [esi], ax // ff75c0 | push dword ptr [ebp - 0x40] // 8935???????? | // ff75bc | push dword ptr [ebp - 0x44] // 68???????? | $sequence_10 = { 6a01 51 56 ff15???????? 85c0 752b 85f6 } // n = 7, score = 100 // 6a01 | push 1 // 51 | push ecx // 56 | push esi // ff15???????? | // 85c0 | test eax, eax // 752b | jne 0x2d // 85f6 | test esi, esi $sequence_11 = { 6a00 8d45d4 c745fc00000000 50 8d45d0 c745d401000000 50 } // n = 7, score = 100 // 6a00 | push 0 // 8d45d4 | lea eax, [ebp - 0x2c] // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 50 | push eax // 8d45d0 | lea eax, [ebp - 0x30] // c745d401000000 | mov dword ptr [ebp - 0x2c], 1 // 50 | push eax $sequence_12 = { 85db 7443 3bf8 7f0c 7c04 } // n = 5, score = 100 // 85db | test ebx, ebx // 7443 | je 0x45 // 3bf8 | cmp edi, eax // 7f0c | jg 0xe // 7c04 | jl 6 $sequence_13 = { 33ff 8db58cf6ffff 89bd90f6ffff 8d9d20f9ffff } // n = 4, score = 100 // 33ff | xor edi, edi // 8db58cf6ffff | lea esi, [ebp - 0x974] // 89bd90f6ffff | mov dword ptr [ebp - 0x970], edi // 8d9d20f9ffff | lea ebx, [ebp - 0x6e0] $sequence_14 = { 8d85f0feffff 50 ff15???????? 85c0 7510 } // n = 5, score = 100 // 8d85f0feffff | lea eax, [ebp - 0x110] // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 7510 | jne 0x12 $sequence_15 = { 83c618 8bbd90f6ffff 03f8 8b8598f6ffff 40 89bd90f6ffff 898598f6ffff } // n = 7, score = 100 // 83c618 | add esi, 0x18 // 8bbd90f6ffff | mov edi, dword ptr [ebp - 0x970] // 03f8 | add edi, eax // 8b8598f6ffff | mov eax, dword ptr [ebp - 0x968] // 40 | inc eax // 89bd90f6ffff | mov dword ptr [ebp - 0x970], edi // 898598f6ffff | mov dword ptr [ebp - 0x968], eax condition: 7 of them and filesize < 499712 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY