There is no description at this point.
rule win_sappycache_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.sappycache." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4883ec20 488d1d16150100 488d350f150100 eb16 488b3b 4885ff } // n = 6, score = 200 // 4883ec20 | dec eax // 488d1d16150100 | lea ecx, [eax + ebp] // 488d350f150100 | dec eax // eb16 | mov esi, eax // 488b3b | dec eax // 4885ff | test ebx, ebx $sequence_1 = { 488d8d40010000 41b800010000 e8???????? ba00000200 } // n = 4, score = 200 // 488d8d40010000 | dec eax // 41b800010000 | mov esi, dword ptr [esp + 0x48] // e8???????? | // ba00000200 | dec eax $sequence_2 = { 4883faff 750a 488bcb e8???????? eb0f 488bd3 488d0dcb490100 } // n = 7, score = 200 // 4883faff | lea edx, [0x11a27] // 750a | dec eax // 488bcb | lea ecx, [esp + 0x60] // e8???????? | // eb0f | xor eax, eax // 488bd3 | inc ecx // 488d0dcb490100 | mov edi, ecx $sequence_3 = { ff15???????? 488bf0 4883f8ff 7515 33c0 488b4c2450 } // n = 6, score = 200 // ff15???????? | // 488bf0 | shr dl, 2 // 4883f8ff | shr al, 6 // 7515 | inc eax // 33c0 | and bh, 0x3f // 488b4c2450 | or bl, al $sequence_4 = { c74500f4010000 488bce ff15???????? 4983cfff 488d8540020000 498bd7 660f1f440000 } // n = 7, score = 200 // c74500f4010000 | js 0x329 // 488bce | dec eax // ff15???????? | // 4983cfff | cwde // 488d8540020000 | dec eax // 498bd7 | cmp eax, 0xe4 // 660f1f440000 | jae 0x329 $sequence_5 = { 488bfb 4885db 75d9 8d4b0e ff15???????? } // n = 5, score = 200 // 488bfb | ja 0x9d2 // 4885db | dec eax // 75d9 | lea ebx, [edi + 0x48] // 8d4b0e | dec eax // ff15???????? | $sequence_6 = { 488d9520420000 498bce ff15???????? 8b5580 b940000000 } // n = 5, score = 200 // 488d9520420000 | dec eax // 498bce | mov dword ptr [edx], ecx // ff15???????? | // 8b5580 | dec eax // b940000000 | mov dword ptr [edx + 8], ecx $sequence_7 = { e8???????? 85c0 7407 b902000000 cd29 488d0d434b0100 } // n = 6, score = 200 // e8???????? | // 85c0 | lea ecx, [eax + 0x40] // 7407 | dec eax // b902000000 | add ecx, 8 // cd29 | dec eax // 488d0d434b0100 | cmp ecx, ebx $sequence_8 = { 41b800800000 488bce ff15???????? 4885db 742b 0f1f4000 488b4b08 } // n = 7, score = 200 // 41b800800000 | and al, 3 // 488bce | and bl, 0xf // ff15???????? | // 4885db | inc ecx // 742b | shl al, 4 // 0f1f4000 | inc esp // 488b4b08 | or al, al $sequence_9 = { 6644392c50 75f6 4c8d4db0 4533c0 488d8d40020000 } // n = 5, score = 200 // 6644392c50 | dec eax // 75f6 | mov ebx, edi // 4c8d4db0 | dec eax // 4533c0 | test edi, edi // 488d8d40020000 | jne 0x1477 condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY