Actor(s): Thrip
There is no description at this point.
rule win_rikamanu_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.rikamanu." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 6a14 ff15???????? a801 } // n = 4, score = 200 // e8???????? | // 6a14 | push 0x14 // ff15???????? | // a801 | test al, 1 $sequence_1 = { 50 ff15???????? 8b35???????? 3d80969800 } // n = 4, score = 200 // 50 | push eax // ff15???????? | // 8b35???????? | // 3d80969800 | cmp eax, 0x989680 $sequence_2 = { 8b4de4 83c40c 6bc930 8975e0 8db120982400 8975e4 eb2b } // n = 7, score = 100 // 8b4de4 | mov ecx, dword ptr [ebp - 0x1c] // 83c40c | add esp, 0xc // 6bc930 | imul ecx, ecx, 0x30 // 8975e0 | mov dword ptr [ebp - 0x20], esi // 8db120982400 | lea esi, dword ptr [ecx + 0x249820] // 8975e4 | mov dword ptr [ebp - 0x1c], esi // eb2b | jmp 0x2d $sequence_3 = { 8bc8 83e103 f3a4 ff15???????? 53 ff15???????? 8b35???????? } // n = 7, score = 100 // 8bc8 | mov ecx, eax // 83e103 | and ecx, 3 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // ff15???????? | // 53 | push ebx // ff15???????? | // 8b35???????? | $sequence_4 = { 6a00 6803000010 53 ffd7 85c0 0f85ff020000 ffb5d0f8ffff } // n = 7, score = 100 // 6a00 | push 0 // 6803000010 | push 0x10000003 // 53 | push ebx // ffd7 | call edi // 85c0 | test eax, eax // 0f85ff020000 | jne 0x305 // ffb5d0f8ffff | push dword ptr [ebp - 0x730] $sequence_5 = { c1f905 8b0c8de0b84000 8a44c104 83e040 } // n = 4, score = 100 // c1f905 | sar ecx, 5 // 8b0c8de0b84000 | mov ecx, dword ptr [ecx*4 + 0x40b8e0] // 8a44c104 | mov al, byte ptr [ecx + eax*8 + 4] // 83e040 | and eax, 0x40 $sequence_6 = { 8d34f570902400 391e 7404 8bc7 } // n = 4, score = 100 // 8d34f570902400 | lea esi, dword ptr [esi*8 + 0x249070] // 391e | cmp dword ptr [esi], ebx // 7404 | je 6 // 8bc7 | mov eax, edi $sequence_7 = { 6a01 83e103 6800000040 f3a4 8b35???????? 68???????? ffd6 } // n = 7, score = 100 // 6a01 | push 1 // 83e103 | and ecx, 3 // 6800000040 | push 0x40000000 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // 8b35???????? | // 68???????? | // ffd6 | call esi $sequence_8 = { 6810270000 ff15???????? 8b85e4fdffff 8d8dccfdffff } // n = 4, score = 100 // 6810270000 | push 0x2710 // ff15???????? | // 8b85e4fdffff | mov eax, dword ptr [ebp - 0x21c] // 8d8dccfdffff | lea ecx, dword ptr [ebp - 0x234] $sequence_9 = { ff35???????? ffd6 53 68???????? be???????? 56 e8???????? } // n = 7, score = 100 // ff35???????? | // ffd6 | call esi // 53 | push ebx // 68???????? | // be???????? | // 56 | push esi // e8???????? | $sequence_10 = { 6803000010 57 ffd6 85c0 0f85b9040000 8b4c2410 } // n = 6, score = 100 // 6803000010 | push 0x10000003 // 57 | push edi // ffd6 | call esi // 85c0 | test eax, eax // 0f85b9040000 | jne 0x4bf // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] $sequence_11 = { 6804010000 33db 8d85f8feffff 50 51 } // n = 5, score = 100 // 6804010000 | push 0x104 // 33db | xor ebx, ebx // 8d85f8feffff | lea eax, dword ptr [ebp - 0x108] // 50 | push eax // 51 | push ecx $sequence_12 = { 8bc7 c1f805 c1e606 033485e0a72400 } // n = 4, score = 100 // 8bc7 | mov eax, edi // c1f805 | sar eax, 5 // c1e606 | shl esi, 6 // 033485e0a72400 | add esi, dword ptr [eax*4 + 0x24a7e0] $sequence_13 = { 52 ffd7 8d44243c 50 ffd3 55 } // n = 6, score = 100 // 52 | push edx // ffd7 | call edi // 8d44243c | lea eax, dword ptr [esp + 0x3c] // 50 | push eax // ffd3 | call ebx // 55 | push ebp $sequence_14 = { ffd6 8b95e8fdffff 52 ffd6 8b4dfc } // n = 5, score = 100 // ffd6 | call esi // 8b95e8fdffff | mov edx, dword ptr [ebp - 0x218] // 52 | push edx // ffd6 | call esi // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_15 = { 55 8bec a0???????? 33c9 84c0 } // n = 5, score = 100 // 55 | push ebp // 8bec | mov ebp, esp // a0???????? | // 33c9 | xor ecx, ecx // 84c0 | test al, al $sequence_16 = { 8bf0 c1ff05 83e61f c1e606 8b0cbd383f4100 } // n = 5, score = 100 // 8bf0 | mov esi, eax // c1ff05 | sar edi, 5 // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 8b0cbd383f4100 | mov ecx, dword ptr [edi*4 + 0x413f38] $sequence_17 = { c3 6a08 68???????? e8???????? 8b7508 c7465c18cd4000 } // n = 6, score = 100 // c3 | ret // 6a08 | push 8 // 68???????? | // e8???????? | // 8b7508 | mov esi, dword ptr [ebp + 8] // c7465c18cd4000 | mov dword ptr [esi + 0x5c], 0x40cd18 $sequence_18 = { a1???????? 85c0 74c9 33c9 33c0 } // n = 5, score = 100 // a1???????? | // 85c0 | test eax, eax // 74c9 | je 0xffffffcb // 33c9 | xor ecx, ecx // 33c0 | xor eax, eax $sequence_19 = { 5d c3 8bff 56 57 33ff ffb7709a2400 } // n = 7, score = 100 // 5d | pop ebp // c3 | ret // 8bff | mov edi, edi // 56 | push esi // 57 | push edi // 33ff | xor edi, edi // ffb7709a2400 | push dword ptr [edi + 0x249a70] $sequence_20 = { 83c424 c21000 6a00 55 } // n = 4, score = 100 // 83c424 | add esp, 0x24 // c21000 | ret 0x10 // 6a00 | push 0 // 55 | push ebp $sequence_21 = { ff15???????? 6820000100 68???????? 50 ff15???????? } // n = 5, score = 100 // ff15???????? | // 6820000100 | push 0x10020 // 68???????? | // 50 | push eax // ff15???????? | $sequence_22 = { 833d????????01 0f8486000000 33c9 663d0100 } // n = 4, score = 100 // 833d????????01 | // 0f8486000000 | je 0x8c // 33c9 | xor ecx, ecx // 663d0100 | cmp ax, 1 $sequence_23 = { ff15???????? 8bd8 3bdd 7517 } // n = 4, score = 100 // ff15???????? | // 8bd8 | mov ebx, eax // 3bdd | cmp ebx, ebp // 7517 | jne 0x19 $sequence_24 = { 8d95dcfdffff 52 6a01 53 } // n = 4, score = 100 // 8d95dcfdffff | lea edx, dword ptr [ebp - 0x224] // 52 | push edx // 6a01 | push 1 // 53 | push ebx $sequence_25 = { 8bd0 c1f905 83e21f 8b0c8de0b84000 } // n = 4, score = 100 // 8bd0 | mov edx, eax // c1f905 | sar ecx, 5 // 83e21f | and edx, 0x1f // 8b0c8de0b84000 | mov ecx, dword ptr [ecx*4 + 0x40b8e0] $sequence_26 = { 7309 8b04c580ee4000 5d c3 33c0 5d c3 } // n = 7, score = 100 // 7309 | jae 0xb // 8b04c580ee4000 | mov eax, dword ptr [eax*8 + 0x40ee80] // 5d | pop ebp // c3 | ret // 33c0 | xor eax, eax // 5d | pop ebp // c3 | ret $sequence_27 = { c1f905 8b0c8de0b84000 f644c10401 8d04c1 7403 8b00 } // n = 6, score = 100 // c1f905 | sar ecx, 5 // 8b0c8de0b84000 | mov ecx, dword ptr [ecx*4 + 0x40b8e0] // f644c10401 | test byte ptr [ecx + eax*8 + 4], 1 // 8d04c1 | lea eax, dword ptr [ecx + eax*8] // 7403 | je 5 // 8b00 | mov eax, dword ptr [eax] $sequence_28 = { 6804010000 68???????? 6a00 50 e8???????? 85c0 7523 } // n = 7, score = 100 // 6804010000 | push 0x104 // 68???????? | // 6a00 | push 0 // 50 | push eax // e8???????? | // 85c0 | test eax, eax // 7523 | jne 0x25 $sequence_29 = { 8d4c2414 68???????? 51 c744241c6c714000 e8???????? 33d2 6a0c } // n = 7, score = 100 // 8d4c2414 | lea ecx, dword ptr [esp + 0x14] // 68???????? | // 51 | push ecx // c744241c6c714000 | mov dword ptr [esp + 0x1c], 0x40716c // e8???????? | // 33d2 | xor edx, edx // 6a0c | push 0xc condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY