Ransomware.
rule win_satan_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.satan." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7421 8b10 8b4a08 3b4e04 740f c70200000000 } // n = 6, score = 100 // 7421 | je 0x23 // 8b10 | mov edx, dword ptr [eax] // 8b4a08 | mov ecx, dword ptr [edx + 8] // 3b4e04 | cmp ecx, dword ptr [esi + 4] // 740f | je 0x11 // c70200000000 | mov dword ptr [edx], 0 $sequence_1 = { c74408e0d0724700 8b41e0 8b5004 8d42e0 89440adc 8d51f8 8b42f8 } // n = 7, score = 100 // c74408e0d0724700 | mov dword ptr [eax + ecx - 0x20], 0x4772d0 // 8b41e0 | mov eax, dword ptr [ecx - 0x20] // 8b5004 | mov edx, dword ptr [eax + 4] // 8d42e0 | lea eax, dword ptr [edx - 0x20] // 89440adc | mov dword ptr [edx + ecx - 0x24], eax // 8d51f8 | lea edx, dword ptr [ecx - 8] // 8b42f8 | mov eax, dword ptr [edx - 8] $sequence_2 = { 85db 7457 6a00 6a00 6a00 68???????? 83ec1c } // n = 7, score = 100 // 85db | test ebx, ebx // 7457 | je 0x59 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 68???????? | // 83ec1c | sub esp, 0x1c $sequence_3 = { 8b55f8 0fb682e0214200 ff2485b8214200 8b4dfc 8b5110 } // n = 5, score = 100 // 8b55f8 | mov edx, dword ptr [ebp - 8] // 0fb682e0214200 | movzx eax, byte ptr [edx + 0x4221e0] // ff2485b8214200 | jmp dword ptr [eax*4 + 0x4221b8] // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b5110 | mov edx, dword ptr [ecx + 0x10] $sequence_4 = { 750e 6a02 e8???????? 83c404 32c0 eb68 ba02000000 } // n = 7, score = 100 // 750e | jne 0x10 // 6a02 | push 2 // e8???????? | // 83c404 | add esp, 4 // 32c0 | xor al, al // eb68 | jmp 0x6a // ba02000000 | mov edx, 2 $sequence_5 = { 7548 e8???????? bf???????? bbe1000000 57 68???????? 6a00 } // n = 7, score = 100 // 7548 | jne 0x4a // e8???????? | // bf???????? | // bbe1000000 | mov ebx, 0xe1 // 57 | push edi // 68???????? | // 6a00 | push 0 $sequence_6 = { 7411 8b75dc 85f6 740a } // n = 4, score = 100 // 7411 | je 0x13 // 8b75dc | mov esi, dword ptr [ebp - 0x24] // 85f6 | test esi, esi // 740a | je 0xc $sequence_7 = { 003c22 44 00f5 22440000 0201 0200 0201 } // n = 7, score = 100 // 003c22 | add byte ptr [edx], bh // 44 | inc esp // 00f5 | add ch, dh // 22440000 | and al, byte ptr [eax + eax] // 0201 | add al, byte ptr [ecx] // 0200 | add al, byte ptr [eax] // 0201 | add al, byte ptr [ecx] $sequence_8 = { 8b45d4 0fb608 83e107 b801000000 d3e0 0fb64c15dc 0bc8 } // n = 7, score = 100 // 8b45d4 | mov eax, dword ptr [ebp - 0x2c] // 0fb608 | movzx ecx, byte ptr [eax] // 83e107 | and ecx, 7 // b801000000 | mov eax, 1 // d3e0 | shl eax, cl // 0fb64c15dc | movzx ecx, byte ptr [ebp + edx - 0x24] // 0bc8 | or ecx, eax $sequence_9 = { 8b4014 03c1 3bc2 7358 68aa000000 68???????? 68???????? } // n = 7, score = 100 // 8b4014 | mov eax, dword ptr [eax + 0x14] // 03c1 | add eax, ecx // 3bc2 | cmp eax, edx // 7358 | jae 0x5a // 68aa000000 | push 0xaa // 68???????? | // 68???????? | condition: 7 of them and filesize < 1163264 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY