There is no description at this point.
rule win_shujin_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.shujin." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? ff7660 8b1d???????? 6a01 bf80000000 57 } // n = 6, score = 100 // e8???????? | // ff7660 | push dword ptr [esi + 0x60] // 8b1d???????? | // 6a01 | push 1 // bf80000000 | mov edi, 0x80 // 57 | push edi $sequence_1 = { ff15???????? 85c0 0f8431010000 53 897df4 } // n = 5, score = 100 // ff15???????? | // 85c0 | test eax, eax // 0f8431010000 | je 0x137 // 53 | push ebx // 897df4 | mov dword ptr [ebp - 0xc], edi $sequence_2 = { 6aff 50 ff15???????? 57 8b7d10 83ff01 } // n = 6, score = 100 // 6aff | push -1 // 50 | push eax // ff15???????? | // 57 | push edi // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 83ff01 | cmp edi, 1 $sequence_3 = { 8bf9 ba???????? 0fb67201 8a0a 8b1f d3e3 0fb60c06 } // n = 7, score = 100 // 8bf9 | mov edi, ecx // ba???????? | // 0fb67201 | movzx esi, byte ptr [edx + 1] // 8a0a | mov cl, byte ptr [edx] // 8b1f | mov ebx, dword ptr [edi] // d3e3 | shl ebx, cl // 0fb60c06 | movzx ecx, byte ptr [esi + eax] $sequence_4 = { 83615400 53 56 57 8d7108 c7450805000000 8b46f8 } // n = 7, score = 100 // 83615400 | and dword ptr [ecx + 0x54], 0 // 53 | push ebx // 56 | push esi // 57 | push edi // 8d7108 | lea esi, [ecx + 8] // c7450805000000 | mov dword ptr [ebp + 8], 5 // 8b46f8 | mov eax, dword ptr [esi - 8] $sequence_5 = { ff45f8 817df870170000 72c9 e9???????? 807daa01 8b45e8 8d1c06 } // n = 7, score = 100 // ff45f8 | inc dword ptr [ebp - 8] // 817df870170000 | cmp dword ptr [ebp - 8], 0x1770 // 72c9 | jb 0xffffffcb // e9???????? | // 807daa01 | cmp byte ptr [ebp - 0x56], 1 // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 8d1c06 | lea ebx, [esi + eax] $sequence_6 = { 8b5508 0facc21a c1f81a 8bd8 8955e4 } // n = 5, score = 100 // 8b5508 | mov edx, dword ptr [ebp + 8] // 0facc21a | shrd edx, eax, 0x1a // c1f81a | sar eax, 0x1a // 8bd8 | mov ebx, eax // 8955e4 | mov dword ptr [ebp - 0x1c], edx $sequence_7 = { c1ef10 8d8d9cf9ffff 2bf9 03f8 a0???????? a801 7421 } // n = 7, score = 100 // c1ef10 | shr edi, 0x10 // 8d8d9cf9ffff | lea ecx, [ebp - 0x664] // 2bf9 | sub edi, ecx // 03f8 | add edi, eax // a0???????? | // a801 | test al, 1 // 7421 | je 0x23 $sequence_8 = { 895008 8b680c 8bd5 896c2410 } // n = 4, score = 100 // 895008 | mov dword ptr [eax + 8], edx // 8b680c | mov ebp, dword ptr [eax + 0xc] // 8bd5 | mov edx, ebp // 896c2410 | mov dword ptr [esp + 0x10], ebp $sequence_9 = { 8d1c06 83c40c 8975f8 3bf3 731e } // n = 5, score = 100 // 8d1c06 | lea ebx, [esi + eax] // 83c40c | add esp, 0xc // 8975f8 | mov dword ptr [ebp - 8], esi // 3bf3 | cmp esi, ebx // 731e | jae 0x20 condition: 7 of them and filesize < 172032 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY