Actor(s): Turla Group
There is no description at this point.
rule win_skipper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.skipper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a03 68???????? 68???????? 6a50 } // n = 4, score = 600 // 6a03 | dec esp // 68???????? | // 68???????? | // 6a50 | lea ecx, dword ptr [0x8e2d] $sequence_1 = { ff15???????? 6a00 6a00 6a00 6a00 50 } // n = 6, score = 500 // ff15???????? | // 6a00 | inc eax // 6a00 | jmp 0xffffffec // 6a00 | xor eax, eax // 6a00 | mov dword ptr [ebp - 0x1c], eax // 50 | cmp eax, 0x100 $sequence_2 = { e8???????? 6804010000 e8???????? 6804010000 8bf8 6a00 57 } // n = 7, score = 500 // e8???????? | // 6804010000 | mov ecx, dword ptr [ebp - 0x1c] // e8???????? | // 6804010000 | add esp, 0xc // 8bf8 | imul ecx, ecx, 0x30 // 6a00 | mov dword ptr [ebp - 0x20], esi // 57 | lea esi, dword ptr [ecx + 0x23a6c8] $sequence_3 = { 59 5d c3 55 8bec 33c0 50 } // n = 7, score = 500 // 59 | mov dword ptr [esi + 0x5c], 0x2381d8 // 5d | xor edi, edi // c3 | inc edi // 55 | mov dword ptr [esi + 0x14], edi // 8bec | test eax, eax // 33c0 | je 0x2e // 50 | je 0xe $sequence_4 = { 57 6804010000 c644241300 e8???????? 6804010000 6a00 } // n = 6, score = 400 // 57 | mov dword ptr [ebx + 8], 1 // 6804010000 | push 6 // c644241300 | mov dword ptr [ebx + 0xc], eax // e8???????? | // 6804010000 | lea eax, dword ptr [ebx + 0x10] // 6a00 | lea ecx, dword ptr [ecx + 0x23a6bc] $sequence_5 = { 68???????? 6a50 53 50 ff15???????? 6a00 } // n = 6, score = 400 // 68???????? | // 6a50 | push 0x50 // 53 | push 0x104 // 50 | push 0x104 // ff15???????? | // 6a00 | mov edi, eax $sequence_6 = { 81cb00ffffff 43 0fb6c3 8d8dfcfeffff 03c8 46 8a01 } // n = 7, score = 400 // 81cb00ffffff | push 3 // 43 | push 0x50 // 0fb6c3 | push 0 // 8d8dfcfeffff | push 3 // 03c8 | push 0x50 // 46 | push 0 // 8a01 | push 0 $sequence_7 = { e8???????? 6bc064 2bf0 6bf67b } // n = 4, score = 400 // e8???????? | // 6bc064 | push 0x50 // 2bf0 | push 0 // 6bf67b | push 3 $sequence_8 = { 83c404 6a00 6a64 52 50 e8???????? } // n = 6, score = 300 // 83c404 | inc ecx // 6a00 | mov eax, 0x94 // 6a64 | dec eax // 52 | mov dword ptr [eax], ecx // 50 | inc ecx // e8???????? | $sequence_9 = { e8???????? 83c404 6a00 6a64 } // n = 4, score = 300 // e8???????? | // 83c404 | push edx // 6a00 | push eax // 6a64 | add esp, 4 $sequence_10 = { 6800308000 6a00 6a00 68???????? } // n = 4, score = 300 // 6800308000 | mov ecx, dword ptr [ebp - 0x124] // 6a00 | movzx edx, byte ptr [ebp - 4] // 6a00 | mov al, byte ptr [ebp - 0x111] // 68???????? | $sequence_11 = { 038de8feffff 8b85e0feffff 99 f77d0c 8b4508 } // n = 5, score = 200 // 038de8feffff | push 0x104 // 8b85e0feffff | mov edi, eax // 99 | push 0x104 // f77d0c | push 0x104 // 8b4508 | mov edi, eax $sequence_12 = { 7908 4a 81ca00ffffff 42 8955fc 0fb645f8 } // n = 6, score = 200 // 7908 | push 0 // 4a | push 0x64 // 81ca00ffffff | push edx // 42 | add esp, 4 // 8955fc | push 0 // 0fb645f8 | push 0x64 $sequence_13 = { 488d5201 3d00010000 7cf1 448bc1 448bc9 } // n = 5, score = 200 // 488d5201 | dec eax // 3d00010000 | dec ebx // 7cf1 | jne 0xffffff82 // 448bc1 | inc edx // 448bc9 | xor dl, byte ptr [edi + ebx - 1] $sequence_14 = { 81c900ffffff ffc1 4863c1 0fb61404 4403d2 4181e2ff000080 } // n = 6, score = 200 // 81c900ffffff | movzx eax, byte ptr [ebp - 4] // ffc1 | movzx ecx, byte ptr [ebp + eax - 0x110] // 4863c1 | add edx, ecx // 0fb61404 | and edx, 0x800000ff // 4403d2 | jns 0x1a // 4181e2ff000080 | dec eax $sequence_15 = { 8b4d10 038ddcfeffff 0fbe11 0fb685eefeffff 33d0 8b4d18 038ddcfeffff } // n = 7, score = 200 // 8b4d10 | inc edx // 038ddcfeffff | mov dword ptr [ebp - 4], edx // 0fbe11 | movzx eax, byte ptr [ebp - 8] // 0fb685eefeffff | movzx edx, byte ptr [ebp - 4] // 33d0 | movzx eax, byte ptr [ebp - 8] // 8b4d18 | mov cl, byte ptr [ebp + edx - 0x110] // 038ddcfeffff | mov byte ptr [ebp + eax - 0x110], cl $sequence_16 = { 488b05???????? 4833c4 4889842400010000 4c8b9c2440010000 33c9 } // n = 5, score = 200 // 488b05???????? | // 4833c4 | mov ecx, dword ptr [ebp + 0x10] // 4889842400010000 | mov ecx, dword ptr [ebp + 0x10] // 4c8b9c2440010000 | add ecx, dword ptr [ebp - 0x124] // 33c9 | movsx edx, byte ptr [ecx] $sequence_17 = { 0fb61404 4232541fff 418853ff 48ffcb 0f8575ffffff } // n = 5, score = 200 // 0fb61404 | movzx eax, byte ptr [ebp - 0x112] // 4232541fff | xor edx, eax // 418853ff | mov ecx, dword ptr [ebp + 0x18] // 48ffcb | add ecx, dword ptr [ebp - 0x124] // 0f8575ffffff | inc ecx $sequence_18 = { 0f8575ffffff b001 488b8c2400010000 4833cc e8???????? 4c8d9c2410010000 } // n = 6, score = 200 // 0f8575ffffff | inc ecx // b001 | and edx, 0x800000ff // 488b8c2400010000 | movzx eax, byte ptr [edx] // 4833cc | mov byte ptr [ebx - 1], al // e8???????? | // 4c8d9c2410010000 | inc eax $sequence_19 = { 0fb6c1 4c8d0424 488d1424 4c03c0 410fb6c2 450fb608 4803d0 } // n = 7, score = 200 // 0fb6c1 | mov ebx, dword ptr [esp + 0x140] // 4c8d0424 | xor ecx, ecx // 488d1424 | movzx edx, byte ptr [esp + eax] // 4c03c0 | inc edx // 410fb6c2 | xor dl, byte ptr [edi + ebx - 1] // 450fb608 | inc ecx // 4803d0 | mov byte ptr [ebx - 1], dl $sequence_20 = { 81ca00ffffff 42 0fb6d2 8a8415f0feffff 8885eefeffff } // n = 5, score = 200 // 81ca00ffffff | push edx // 42 | add esp, 4 // 0fb6d2 | push 0 // 8a8415f0feffff | push 0x64 // 8885eefeffff | push edx $sequence_21 = { 0fb602 8843ff 408832 4181f900010000 } // n = 4, score = 200 // 0fb602 | xor eax, esp // 8843ff | dec eax // 408832 | mov dword ptr [esp + 0x100], eax // 4181f900010000 | dec esp $sequence_22 = { 88940df0feffff ebd0 c785e8feffff00000000 c785e0feffff00000000 eb0f } // n = 5, score = 200 // 88940df0feffff | push 0x104 // ebd0 | push 0x104 // c785e8feffff00000000 | mov edi, eax // c785e0feffff00000000 | push 0 // eb0f | push 0x104 $sequence_23 = { 0fb695e8feffff 8a85effeffff 888415f0feffff e9???????? c785dcfeffff00000000 eb0f 8b8ddcfeffff } // n = 7, score = 200 // 0fb695e8feffff | push 0 // 8a85effeffff | push edi // 888415f0feffff | push 0 // e9???????? | // c785dcfeffff00000000 | push 0 // eb0f | push 0 // 8b8ddcfeffff | push 0 $sequence_24 = { 4181e2ff000080 7d0d 41ffca 4181ca00ffffff 41ffc2 0fb6c1 } // n = 6, score = 200 // 4181e2ff000080 | inc ecx // 7d0d | mov byte ptr [ebx - 1], dl // 41ffca | dec eax // 4181ca00ffffff | dec ebx // 41ffc2 | jne 0xffffff82 // 0fb6c1 | mov al, 1 $sequence_25 = { 41 898de8feffff 8b85e0feffff 8a8c05f0feffff 888deffeffff 0fb695e8feffff } // n = 6, score = 200 // 41 | movzx edx, byte ptr [ebp - 4] // 898de8feffff | or edx, 0xffffff00 // 8b85e0feffff | inc edx // 8a8c05f0feffff | movzx edx, dl // 888deffeffff | mov al, byte ptr [ebp + edx - 0x110] // 0fb695e8feffff | mov byte ptr [ebp - 0x112], al $sequence_26 = { 0fb655fc 0fb645f8 8a8c15f0feffff 888c05f0feffff 0fb655fc } // n = 5, score = 200 // 0fb655fc | push edx // 0fb645f8 | push eax // 8a8c15f0feffff | add esp, 4 // 888c05f0feffff | push 0 // 0fb655fc | push 0x64 $sequence_27 = { 4c8d0d2d8e0000 33d2 4d8bc1 413b08 } // n = 4, score = 100 // 4c8d0d2d8e0000 | dec esp // 33d2 | lea edi, dword ptr [0xa532] // 4d8bc1 | and ebx, 0x1f // 413b08 | jns 0x43 $sequence_28 = { 75f6 488b0d???????? 33d2 41b894000000 488908 8b0d???????? } // n = 6, score = 100 // 75f6 | dec eax // 488b0d???????? | // 33d2 | lea ecx, dword ptr [0x6ecb] // 41b894000000 | mov dword ptr [esp + 0x30], ebx // 488908 | push edi // 8b0d???????? | $sequence_29 = { 740c c785d4feffff3a040000 eb0a c785d4feffffffff1f00 8b4508 50 6a00 } // n = 7, score = 100 // 740c | inc ecx // c785d4feffff3a040000 | inc edx // eb0a | movzx eax, cl // c785d4feffffffff1f00 | dec eax // 8b4508 | xor eax, esp // 50 | dec eax // 6a00 | mov dword ptr [esp + 0x100], eax $sequence_30 = { 8888a8a42300 40 ebe9 33c0 8945e4 3d00010000 } // n = 6, score = 100 // 8888a8a42300 | dec eax // 40 | add edx, eax // ebe9 | dec eax // 33c0 | lea edx, dword ptr [edx + 1] // 8945e4 | cmp eax, 0x100 // 3d00010000 | jl 0xfffffff3 $sequence_31 = { 4863d9 488bf3 48c1fe05 4c8d3d32a50000 83e31f } // n = 5, score = 100 // 4863d9 | dec eax // 488bf3 | mov ecx, dword ptr [esp + 0x38] // 48c1fe05 | dec eax // 4c8d3d32a50000 | lea edx, dword ptr [0x95ac] // 83e31f | dec eax $sequence_32 = { 8bf1 c745fc00000000 c785acfeffff00000000 6a00 c746140f000000 c7461000000000 } // n = 6, score = 100 // 8bf1 | mov ebp, esp // c745fc00000000 | xor eax, eax // c785acfeffff00000000 | push eax // 6a00 | push 0 // c746140f000000 | push 0 // c7461000000000 | push 0 $sequence_33 = { 8985e4feffff 6a04 6800300000 6804010000 6a00 } // n = 5, score = 100 // 8985e4feffff | mov al, 1 // 6a04 | dec eax // 6800300000 | mov ecx, dword ptr [esp + 0x100] // 6804010000 | dec eax // 6a00 | xor ecx, esp $sequence_34 = { 5d c3 8b04cdaca72300 5d c3 0544ffffff } // n = 6, score = 100 // 5d | inc ecx // c3 | and edx, 0x800000ff // 8b04cdaca72300 | jge 0xf // 5d | inc ecx // c3 | dec edx // 0544ffffff | jne 0xffffff7b $sequence_35 = { 7d10 668b4c4310 66890c4590b22300 40 ebe8 33c0 } // n = 6, score = 100 // 7d10 | dec esp // 668b4c4310 | lea ebx, dword ptr [esp + 0x110] // 66890c4590b22300 | dec eax // 40 | mov dword ptr [esp + 0x20], edi // ebe8 | inc ecx // 33c0 | push esi $sequence_36 = { e8???????? 488d1d2baa0000 4885c0 7404 488d5810 } // n = 5, score = 100 // e8???????? | // 488d1d2baa0000 | dec eax // 4885c0 | lea ebx, dword ptr [0xaa2b] // 7404 | dec eax // 488d5810 | test eax, eax $sequence_37 = { 741b 488b4c2438 488d15ac950000 ff15???????? 4885c0 } // n = 5, score = 100 // 741b | je 6 // 488b4c2438 | dec eax // 488d15ac950000 | lea ebx, dword ptr [eax + 0x10] // ff15???????? | // 4885c0 | je 0x1d $sequence_38 = { e8???????? 8b4de4 83c40c 6bc930 8975e0 8db1c8a62300 } // n = 6, score = 100 // e8???????? | // 8b4de4 | inc esp // 83c40c | mov eax, ecx // 6bc930 | inc esp // 8975e0 | mov ecx, ecx // 8db1c8a62300 | inc ecx $sequence_39 = { 68e0930400 ffd7 46 83fe64 7c91 6a44 8d44244c } // n = 7, score = 100 // 68e0930400 | push 0 // ffd7 | push 3 // 46 | push 0x50 // 83fe64 | pop ecx // 7c91 | pop ebp // 6a44 | ret // 8d44244c | push ebp $sequence_40 = { 57 4883ec20 bf24000000 488d1d24a50000 } // n = 4, score = 100 // 57 | dec eax // 4883ec20 | mov esi, ebx // bf24000000 | dec eax // 488d1d24a50000 | sar esi, 5 $sequence_41 = { c7465cd8812300 33ff 47 897e14 85c0 7424 } // n = 6, score = 100 // c7465cd8812300 | and edx, 0x800000ff // 33ff | jge 0x16 // 47 | inc ecx // 897e14 | dec edx // 85c0 | inc ecx // 7424 | or edx, 0xffffff00 $sequence_42 = { 51 6a00 6a00 8b95e4feffff 52 ff95dcfeffff 8985ecfeffff } // n = 7, score = 100 // 51 | dec esp // 6a00 | mov ebx, dword ptr [esp + 0x140] // 6a00 | xor ecx, ecx // 8b95e4feffff | dec ecx // 52 | arpl cx, bp // ff95dcfeffff | inc esp // 8985ecfeffff | add edx, edx $sequence_43 = { 4883ec30 bf01000000 8bcf e8???????? b84d5a0000 66390502deffff 7404 } // n = 7, score = 100 // // bf01000000 | mov edi, 1 // 8bcf | mov ecx, edi // e8???????? | // b84d5a0000 | mov eax, 0x5a4d // 66390502deffff | cmp word ptr [0xffffde02], ax // 7404 | je 6 $sequence_44 = { 7941 488d0dcb6e0000 895c2430 ff15???????? } // n = 4, score = 100 // 7941 | test eax, eax // 488d0dcb6e0000 | dec eax // 895c2430 | arpl cx, bx // ff15???????? | $sequence_45 = { 00984e4000bc 4e 40 0023 } // n = 4, score = 100 // 00984e4000bc | push 0 // 4e | push 0x104 // 40 | push 0x104 // 0023 | mov edi, eax condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY