Actor(s): Thrip
There is no description at this point.
rule win_rikamanu_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.rikamanu." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 6a14 ff15???????? a801 } // n = 4, score = 200 // e8???????? | // 6a14 | push 0x14 // ff15???????? | // a801 | test al, 1 $sequence_1 = { 50 ff15???????? 8b35???????? 3d80969800 } // n = 4, score = 200 // 50 | push eax // ff15???????? | // 8b35???????? | // 3d80969800 | cmp eax, 0x989680 $sequence_2 = { 8b85e4fdffff 8d8dccfdffff 51 8d9588fdffff 52 8b95f0fdffff 53 } // n = 7, score = 100 // 8b85e4fdffff | mov eax, dword ptr [ebp - 0x21c] // 8d8dccfdffff | lea ecx, [ebp - 0x234] // 51 | push ecx // 8d9588fdffff | lea edx, [ebp - 0x278] // 52 | push edx // 8b95f0fdffff | mov edx, dword ptr [ebp - 0x210] // 53 | push ebx $sequence_3 = { 68???????? 51 c744241c6c714000 e8???????? 33d2 6a0c 8954240a } // n = 7, score = 100 // 68???????? | // 51 | push ecx // c744241c6c714000 | mov dword ptr [esp + 0x1c], 0x40716c // e8???????? | // 33d2 | xor edx, edx // 6a0c | push 0xc // 8954240a | mov dword ptr [esp + 0xa], edx $sequence_4 = { 0fb6442404 8a4c240c 848821ae4000 751c 837c240800 740e 0fb70445faa64000 } // n = 7, score = 100 // 0fb6442404 | movzx eax, byte ptr [esp + 4] // 8a4c240c | mov cl, byte ptr [esp + 0xc] // 848821ae4000 | test byte ptr [eax + 0x40ae21], cl // 751c | jne 0x1e // 837c240800 | cmp dword ptr [esp + 8], 0 // 740e | je 0x10 // 0fb70445faa64000 | movzx eax, word ptr [eax*2 + 0x40a6fa] $sequence_5 = { 83c42c 5f eb26 8d4508 8db62c724000 6a00 } // n = 6, score = 100 // 83c42c | add esp, 0x2c // 5f | pop edi // eb26 | jmp 0x28 // 8d4508 | lea eax, [ebp + 8] // 8db62c724000 | lea esi, [esi + 0x40722c] // 6a00 | push 0 $sequence_6 = { 8088????????10 8ac8 80c120 888820ad4000 eb1f 83f861 } // n = 6, score = 100 // 8088????????10 | // 8ac8 | mov cl, al // 80c120 | add cl, 0x20 // 888820ad4000 | mov byte ptr [eax + 0x40ad20], cl // eb1f | jmp 0x21 // 83f861 | cmp eax, 0x61 $sequence_7 = { 0fbe05???????? 83e802 7413 83e806 7407 bf???????? eb0c } // n = 7, score = 100 // 0fbe05???????? | // 83e802 | sub eax, 2 // 7413 | je 0x15 // 83e806 | sub eax, 6 // 7407 | je 9 // bf???????? | // eb0c | jmp 0xe $sequence_8 = { 57 ff15???????? 33c0 40 ebcc } // n = 5, score = 100 // 57 | push edi // ff15???????? | // 33c0 | xor eax, eax // 40 | inc eax // ebcc | jmp 0xffffffce $sequence_9 = { eba1 8b85f0fdffff 6a04 8d95ecfdffff } // n = 4, score = 100 // eba1 | jmp 0xffffffa3 // 8b85f0fdffff | mov eax, dword ptr [ebp - 0x210] // 6a04 | push 4 // 8d95ecfdffff | lea edx, [ebp - 0x214] $sequence_10 = { 51 68???????? 55 ffd3 bf???????? 83c9ff 33c0 } // n = 7, score = 100 // 51 | push ecx // 68???????? | // 55 | push ebp // ffd3 | call ebx // bf???????? | // 83c9ff | or ecx, 0xffffffff // 33c0 | xor eax, eax $sequence_11 = { 6a04 55 83e103 6a01 8d44246c } // n = 5, score = 100 // 6a04 | push 4 // 55 | push ebp // 83e103 | and ecx, 3 // 6a01 | push 1 // 8d44246c | lea eax, [esp + 0x6c] $sequence_12 = { 6a00 6a00 55 ffd7 55 } // n = 5, score = 100 // 6a00 | push 0 // 6a00 | push 0 // 55 | push ebp // ffd7 | call edi // 55 | push ebp $sequence_13 = { 56 ff15???????? 8b842470020000 03f8 57 56 ff15???????? } // n = 7, score = 100 // 56 | push esi // ff15???????? | // 8b842470020000 | mov eax, dword ptr [esp + 0x270] // 03f8 | add edi, eax // 57 | push edi // 56 | push esi // ff15???????? | $sequence_14 = { 8987709a2400 83c704 83ff28 72e6 5f } // n = 5, score = 100 // 8987709a2400 | mov dword ptr [edi + 0x249a70], eax // 83c704 | add edi, 4 // 83ff28 | cmp edi, 0x28 // 72e6 | jb 0xffffffe8 // 5f | pop edi $sequence_15 = { 83c40c 33c0 6808020000 8d95f4fdffff 52 } // n = 5, score = 100 // 83c40c | add esp, 0xc // 33c0 | xor eax, eax // 6808020000 | push 0x208 // 8d95f4fdffff | lea edx, [ebp - 0x20c] // 52 | push edx $sequence_16 = { 8d34c570902400 833e00 7513 50 } // n = 4, score = 100 // 8d34c570902400 | lea esi, [eax*8 + 0x249070] // 833e00 | cmp dword ptr [esi], 0 // 7513 | jne 0x15 // 50 | push eax $sequence_17 = { 8d4508 8db62c724000 6a00 50 ff36 e8???????? 59 } // n = 7, score = 100 // 8d4508 | lea eax, [ebp + 8] // 8db62c724000 | lea esi, [esi + 0x40722c] // 6a00 | push 0 // 50 | push eax // ff36 | push dword ptr [esi] // e8???????? | // 59 | pop ecx $sequence_18 = { 891d???????? 891d???????? ff15???????? 8d85f8feffff } // n = 4, score = 100 // 891d???????? | // 891d???????? | // ff15???????? | // 8d85f8feffff | lea eax, [ebp - 0x108] $sequence_19 = { 7373 8bc8 8bf0 c1f905 83e61f 8d3c8de0b84000 c1e603 } // n = 7, score = 100 // 7373 | jae 0x75 // 8bc8 | mov ecx, eax // 8bf0 | mov esi, eax // c1f905 | sar ecx, 5 // 83e61f | and esi, 0x1f // 8d3c8de0b84000 | lea edi, [ecx*4 + 0x40b8e0] // c1e603 | shl esi, 3 $sequence_20 = { 391d???????? 0f849e000000 33c0 663bcb 0f95c0 } // n = 5, score = 100 // 391d???????? | // 0f849e000000 | je 0xa4 // 33c0 | xor eax, eax // 663bcb | cmp cx, bx // 0f95c0 | setne al $sequence_21 = { 8bec 8b450c 56 beff000000 3bc6 7518 } // n = 6, score = 100 // 8bec | mov ebp, esp // 8b450c | mov eax, dword ptr [ebp + 0xc] // 56 | push esi // beff000000 | mov esi, 0xff // 3bc6 | cmp eax, esi // 7518 | jne 0x1a $sequence_22 = { 8945e4 3d00010000 7d10 8a8c181d010000 888808972400 40 ebe6 } // n = 7, score = 100 // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 3d00010000 | cmp eax, 0x100 // 7d10 | jge 0x12 // 8a8c181d010000 | mov cl, byte ptr [eax + ebx + 0x11d] // 888808972400 | mov byte ptr [eax + 0x249708], cl // 40 | inc eax // ebe6 | jmp 0xffffffe8 $sequence_23 = { 85c0 74c9 33c9 33c0 890d???????? bf???????? 890d???????? } // n = 7, score = 100 // 85c0 | test eax, eax // 74c9 | je 0xffffffcb // 33c9 | xor ecx, ecx // 33c0 | xor eax, eax // 890d???????? | // bf???????? | // 890d???????? | $sequence_24 = { ebe3 80a0a0a6400000 40 41 41 3bc6 } // n = 6, score = 100 // ebe3 | jmp 0xffffffe5 // 80a0a0a6400000 | and byte ptr [eax + 0x40a6a0], 0 // 40 | inc eax // 41 | inc ecx // 41 | inc ecx // 3bc6 | cmp eax, esi $sequence_25 = { ff15???????? ff750c e8???????? 59 3bc3 } // n = 5, score = 100 // ff15???????? | // ff750c | push dword ptr [ebp + 0xc] // e8???????? | // 59 | pop ecx // 3bc3 | cmp eax, ebx $sequence_26 = { 40 3acb 75f9 2bc2 8d95f8feffff } // n = 5, score = 100 // 40 | inc eax // 3acb | cmp cl, bl // 75f9 | jne 0xfffffffb // 2bc2 | sub eax, edx // 8d95f8feffff | lea edx, [ebp - 0x108] $sequence_27 = { 8b54240c 81fa80000000 7c0e 0fba25????????01 0f820b070000 57 } // n = 6, score = 100 // 8b54240c | mov edx, dword ptr [esp + 0xc] // 81fa80000000 | cmp edx, 0x80 // 7c0e | jl 0x10 // 0fba25????????01 | // 0f820b070000 | jb 0x711 // 57 | push edi $sequence_28 = { 7457 68???????? 56 ffd5 85c0 744b 8a0e } // n = 7, score = 100 // 7457 | je 0x59 // 68???????? | // 56 | push esi // ffd5 | call ebp // 85c0 | test eax, eax // 744b | je 0x4d // 8a0e | mov cl, byte ptr [esi] $sequence_29 = { c1e106 8b0485383f4100 f644080401 7405 8b0408 5d } // n = 6, score = 100 // c1e106 | shl ecx, 6 // 8b0485383f4100 | mov eax, dword ptr [eax*4 + 0x413f38] // f644080401 | test byte ptr [eax + ecx + 4], 1 // 7405 | je 7 // 8b0408 | mov eax, dword ptr [eax + ecx] // 5d | pop ebp condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY