Based on the leaked Conti source code.
rule win_scarecrow_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.scarecrow." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f7f9 85d2 743b 8b45f4 8d4f17 83c00b 99 } // n = 7, score = 100 // f7f9 | idiv ecx // 85d2 | test edx, edx // 743b | je 0x3d // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 8d4f17 | lea ecx, [edi + 0x17] // 83c00b | add eax, 0xb // 99 | cdq $sequence_1 = { 74d9 eb57 99 f7ff 85d2 7450 8b4c2410 } // n = 7, score = 100 // 74d9 | je 0xffffffdb // eb57 | jmp 0x59 // 99 | cdq // f7ff | idiv edi // 85d2 | test edx, edx // 7450 | je 0x52 // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] $sequence_2 = { c68574faffff00 c68575faffff4b c68576faffff40 c68577faffff0a c68578faffff40 c68579faffff6e c6857afaffff40 } // n = 7, score = 100 // c68574faffff00 | mov byte ptr [ebp - 0x58c], 0 // c68575faffff4b | mov byte ptr [ebp - 0x58b], 0x4b // c68576faffff40 | mov byte ptr [ebp - 0x58a], 0x40 // c68577faffff0a | mov byte ptr [ebp - 0x589], 0xa // c68578faffff40 | mov byte ptr [ebp - 0x588], 0x40 // c68579faffff6e | mov byte ptr [ebp - 0x587], 0x6e // c6857afaffff40 | mov byte ptr [ebp - 0x586], 0x40 $sequence_3 = { c6855bfcffff05 c6855cfcffff20 c6855dfcffff08 c6855efcffff20 c6855ffcffff27 c68560fcffff20 } // n = 6, score = 100 // c6855bfcffff05 | mov byte ptr [ebp - 0x3a5], 5 // c6855cfcffff20 | mov byte ptr [ebp - 0x3a4], 0x20 // c6855dfcffff08 | mov byte ptr [ebp - 0x3a3], 8 // c6855efcffff20 | mov byte ptr [ebp - 0x3a2], 0x20 // c6855ffcffff27 | mov byte ptr [ebp - 0x3a1], 0x27 // c68560fcffff20 | mov byte ptr [ebp - 0x3a0], 0x20 $sequence_4 = { 7905 48 83c8fc 40 744a 8b4df4 8d4303 } // n = 7, score = 100 // 7905 | jns 7 // 48 | dec eax // 83c8fc | or eax, 0xfffffffc // 40 | inc eax // 744a | je 0x4c // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 8d4303 | lea eax, [ebx + 3] $sequence_5 = { 99 f7ff 85d2 752c 0f1f4000 8b859cf7ffff 99 } // n = 7, score = 100 // 99 | cdq // f7ff | idiv edi // 85d2 | test edx, edx // 752c | jne 0x2e // 0f1f4000 | nop dword ptr [eax] // 8b859cf7ffff | mov eax, dword ptr [ebp - 0x864] // 99 | cdq $sequence_6 = { 0f84f7040000 8d4f03 c745f005000000 660f1f840000000000 c745f405f26700 8b45f4 99 } // n = 7, score = 100 // 0f84f7040000 | je 0x4fd // 8d4f03 | lea ecx, [edi + 3] // c745f005000000 | mov dword ptr [ebp - 0x10], 5 // 660f1f840000000000 | nop word ptr [eax + eax] // c745f405f26700 | mov dword ptr [ebp - 0xc], 0x67f205 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 99 | cdq $sequence_7 = { c645aa00 c645ab6b c645ac00 c645ad48 c645ae00 c645af00 c645b000 } // n = 7, score = 100 // c645aa00 | mov byte ptr [ebp - 0x56], 0 // c645ab6b | mov byte ptr [ebp - 0x55], 0x6b // c645ac00 | mov byte ptr [ebp - 0x54], 0 // c645ad48 | mov byte ptr [ebp - 0x53], 0x48 // c645ae00 | mov byte ptr [ebp - 0x52], 0 // c645af00 | mov byte ptr [ebp - 0x51], 0 // c645b000 | mov byte ptr [ebp - 0x50], 0 $sequence_8 = { c644246205 c644246347 c644246405 c64424655a c644246605 c644246727 c644246805 } // n = 7, score = 100 // c644246205 | mov byte ptr [esp + 0x62], 5 // c644246347 | mov byte ptr [esp + 0x63], 0x47 // c644246405 | mov byte ptr [esp + 0x64], 5 // c64424655a | mov byte ptr [esp + 0x65], 0x5a // c644246605 | mov byte ptr [esp + 0x66], 5 // c644246727 | mov byte ptr [esp + 0x67], 0x27 // c644246805 | mov byte ptr [esp + 0x68], 5 $sequence_9 = { 660f28b870024300 660f54f0 660f5cc6 660f59f4 660f5cf2 f20f58fe 660f59c4 } // n = 7, score = 100 // 660f28b870024300 | movapd xmm7, xmmword ptr [eax + 0x430270] // 660f54f0 | andpd xmm6, xmm0 // 660f5cc6 | subpd xmm0, xmm6 // 660f59f4 | mulpd xmm6, xmm4 // 660f5cf2 | subpd xmm6, xmm2 // f20f58fe | addsd xmm7, xmm6 // 660f59c4 | mulpd xmm0, xmm4 condition: 7 of them and filesize < 501760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY