Actor(s): Turla Group
There is no description at this point.
rule win_skipper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.skipper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6a03 68???????? 68???????? 6a50 } // n = 5, score = 600 // 6a00 | push 0 // 6a03 | push 3 // 68???????? | // 68???????? | // 6a50 | push 0x50 $sequence_1 = { 59 5d c3 55 8bec 33c0 50 } // n = 7, score = 500 // 59 | pop ecx // 5d | pop ebp // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 33c0 | xor eax, eax // 50 | push eax $sequence_2 = { ff15???????? 6a00 6a00 6a00 6a00 50 } // n = 6, score = 500 // ff15???????? | // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 50 | push eax $sequence_3 = { 6804010000 e8???????? 6804010000 8bf8 6a00 57 e8???????? } // n = 7, score = 500 // 6804010000 | push 0x104 // e8???????? | // 6804010000 | push 0x104 // 8bf8 | mov edi, eax // 6a00 | push 0 // 57 | push edi // e8???????? | $sequence_4 = { 03c8 0fb601 8802 8819 0fb60a 0fb6c3 03c8 } // n = 7, score = 400 // 03c8 | add ecx, eax // 0fb601 | movzx eax, byte ptr [ecx] // 8802 | mov byte ptr [edx], al // 8819 | mov byte ptr [ecx], bl // 0fb60a | movzx ecx, byte ptr [edx] // 0fb6c3 | movzx eax, bl // 03c8 | add ecx, eax $sequence_5 = { 53 8b5d08 56 8b750c 57 53 6a00 } // n = 7, score = 400 // 53 | push ebx // 8b5d08 | mov ebx, dword ptr [ebp + 8] // 56 | push esi // 8b750c | mov esi, dword ptr [ebp + 0xc] // 57 | push edi // 53 | push ebx // 6a00 | push 0 $sequence_6 = { e8???????? 57 6a1b 68???????? b9???????? } // n = 5, score = 400 // e8???????? | // 57 | push edi // 6a1b | push 0x1b // 68???????? | // b9???????? | $sequence_7 = { e8???????? 57 e8???????? 83c428 8d4601 90 8a0e } // n = 7, score = 400 // e8???????? | // 57 | push edi // e8???????? | // 83c428 | add esp, 0x28 // 8d4601 | lea eax, dword ptr [esi + 1] // 90 | nop // 8a0e | mov cl, byte ptr [esi] $sequence_8 = { 83c404 6a00 6a64 52 50 } // n = 5, score = 300 // 83c404 | mov byte ptr [ecx], 0 // 6a00 | sub esp, 0x18 // 6a64 | mov ecx, esp // 52 | mov byte ptr [ebp - 4], 3 // 50 | mov dword ptr [ebp - 0x14], esp $sequence_9 = { 53 e8???????? 6804010000 e8???????? } // n = 4, score = 300 // 53 | push 0x50 // e8???????? | // 6804010000 | push 3 // e8???????? | $sequence_10 = { 6800308000 6a00 6a00 68???????? } // n = 4, score = 300 // 6800308000 | push 0 // 6a00 | push 0 // 6a00 | push 3 // 68???????? | $sequence_11 = { 408832 4181f900010000 7c9a 488bdd 85ed } // n = 5, score = 200 // 408832 | add edx, edx // 4181f900010000 | inc ecx // 7c9a | and edx, 0x800000ff // 488bdd | jge 0x16 // 85ed | inc ecx $sequence_12 = { 8b85e0feffff 99 f77d0c 8b4508 0fb61410 03ca 81e1ff000080 } // n = 7, score = 200 // 8b85e0feffff | mov edx, dword ptr [ebp - 0x11c] // 99 | push edx // f77d0c | mov dword ptr [ebp - 0x128], eax // 8b4508 | push 0 // 0fb61410 | push 0x104 // 03ca | lea eax, dword ptr [ebp - 0x110] // 81e1ff000080 | push eax $sequence_13 = { 4c03c0 410fb6c2 450fb608 4803d0 } // n = 4, score = 200 // 4c03c0 | inc ecx // 410fb6c2 | add edx, ecx // 450fb608 | movzx edx, byte ptr [esp + eax] // 4803d0 | inc esp $sequence_14 = { 3b5514 0f8dcf000000 8b45f8 83c001 25ff000080 } // n = 5, score = 200 // 3b5514 | lea ecx, dword ptr [ecx + 0x23a6bc] // 0f8dcf000000 | pop edx // 8b45f8 | mov si, word ptr [ecx] // 83c001 | sar eax, 5 // 25ff000080 | and esi, 0x1f $sequence_15 = { e8???????? 4c8d9c2410010000 498b5b10 498b6b18 } // n = 4, score = 200 // e8???????? | // 4c8d9c2410010000 | dec eax // 498b5b10 | add edx, eax // 498b6b18 | movzx eax, byte ptr [edx] $sequence_16 = { c1e81f 03d0 418bc1 8d1492 } // n = 4, score = 200 // c1e81f | lea edx, dword ptr [esp] // 03d0 | inc ecx // 418bc1 | mov eax, ecx // 8d1492 | lea edx, dword ptr [edx + edx*4] $sequence_17 = { 33c9 4963e9 498bf8 488d1424 } // n = 4, score = 200 // 33c9 | inc esp // 4963e9 | add eax, esi // 498bf8 | inc ecx // 488d1424 | and eax, 0x800000ff $sequence_18 = { 0fb61404 4403d2 4181e2ff000080 7d0d 41ffca 4181ca00ffffff 41ffc2 } // n = 7, score = 200 // 0fb61404 | inc esp // 4403d2 | add eax, eax // 4181e2ff000080 | shr eax, 0x1f // 7d0d | add edx, eax // 41ffca | inc ecx // 4181ca00ffffff | mov eax, ecx // 41ffc2 | lea edx, dword ptr [edx + edx*4] $sequence_19 = { 2bc2 4863d0 420fb60432 4403c0 4403c6 4181e0ff000080 7d0d } // n = 7, score = 200 // 2bc2 | sub eax, edx // 4863d0 | dec eax // 420fb60432 | arpl ax, dx // 4403c0 | inc edx // 4403c6 | movzx eax, byte ptr [edx + esi] // 4181e0ff000080 | inc esp // 7d0d | add eax, eax $sequence_20 = { 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 } // n = 4, score = 200 // 8885eefeffff | mov cl, byte ptr [eax + ebx + 0x11d] // 8b4d10 | mov byte ptr [eax + 0x23a5b0], cl // 038ddcfeffff | inc eax // 0fbe11 | jmp 0xffffffef $sequence_21 = { 42 8955fc 0fb645f8 8a8c05f0feffff } // n = 4, score = 200 // 42 | push 0 // 8955fc | push 3 // 0fb645f8 | push 0x50 // 8a8c05f0feffff | push 3 $sequence_22 = { 888415f0feffff 0fb64df8 0fb6940df0feffff 0fb645fc } // n = 4, score = 200 // 888415f0feffff | push 0 // 0fb64df8 | push 0x64 // 0fb6940df0feffff | add esp, 4 // 0fb645fc | push 0 $sequence_23 = { 81ec24010000 a1???????? 33c5 8945f4 c745f800000000 c745fc00000000 c785e4feffff00000000 } // n = 7, score = 200 // 81ec24010000 | xor eax, ebp // a1???????? | // 33c5 | mov dword ptr [ebp - 0xc], eax // 8945f4 | push 0 // c745f800000000 | push 0 // c745fc00000000 | push 3 // c785e4feffff00000000 | push 0x50 $sequence_24 = { 8a8c05f0feffff 888deffeffff 0fb655fc 0fb645f8 8a8c15f0feffff 888c05f0feffff 0fb655fc } // n = 7, score = 200 // 8a8c05f0feffff | mov ecx, dword ptr [ebp - 0x128] // 888deffeffff | push esi // 0fb655fc | push edi // 0fb645f8 | xor edi, edi // 8a8c15f0feffff | lea esi, dword ptr [edi + 0x23a9d0] // 888c05f0feffff | push dword ptr [esi] // 0fb655fc | lea eax, dword ptr [ebx + 0x10] $sequence_25 = { 4803d0 0fb602 418800 44880a 410fb610 4103d1 } // n = 6, score = 200 // 4803d0 | add edx, edx // 0fb602 | sub eax, edx // 418800 | dec eax // 44880a | arpl ax, dx // 410fb610 | inc edx // 4103d1 | movzx eax, byte ptr [edx + esi] $sequence_26 = { 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff } // n = 6, score = 200 // 8b85e0feffff | add edi, 0x18 // 8a8c15f0feffff | call dword ptr [ebp - 0x124] // 888c05f0feffff | mov dword ptr [ebp - 0x114], eax // 0fb695e8feffff | push 0x8000 // 8a85effeffff | push 0x104 // 888415f0feffff | jge 0x12 $sequence_27 = { c60100 e8???????? 83ec18 8bcc c645fc03 8965ec 6aff } // n = 7, score = 100 // c60100 | pop ebp // e8???????? | // 83ec18 | ret // 8bcc | push ebp // c645fc03 | mov ebp, esp // 8965ec | xor eax, eax // 6aff | push eax $sequence_28 = { ff15???????? 85c0 75bc 53 50 68ffff1f00 ffd6 } // n = 7, score = 100 // ff15???????? | // 85c0 | push 0x50 // 75bc | push 0 // 53 | push 0 // 50 | push 0 // 68ffff1f00 | push 0 // ffd6 | pop ecx $sequence_29 = { 8d4310 8d89bca62300 5a 668b31 } // n = 4, score = 100 // 8d4310 | push 0 // 8d89bca62300 | push 0x803000 // 5a | push 0 // 668b31 | push 0 $sequence_30 = { e8???????? 59 59 8b7508 8d34f570a02300 391e } // n = 6, score = 100 // e8???????? | // 59 | push edi // 59 | push 0x104 // 8b7508 | push 0x104 // 8d34f570a02300 | mov edi, eax // 391e | push 0 $sequence_31 = { 8b95e4feffff 52 ff15???????? 8985d8feffff } // n = 4, score = 100 // 8b95e4feffff | push 0 // 52 | push 0 // ff15???????? | // 8985d8feffff | push 0 $sequence_32 = { 751e 8d04f570a02300 8938 68a00f0000 ff30 83c718 e8???????? } // n = 7, score = 100 // 751e | push 0 // 8d04f570a02300 | push 0 // 8938 | push 0 // 68a00f0000 | push 0 // ff30 | push eax // 83c718 | push 0x104 // e8???????? | $sequence_33 = { 7d10 8a8c181d010000 8888b0a52300 40 ebe6 } // n = 5, score = 100 // 7d10 | push 0x104 // 8a8c181d010000 | push 0x104 // 8888b0a52300 | mov edi, eax // 40 | push 0 // ebe6 | push eax $sequence_34 = { 4c8d3528ba0000 488b0d???????? eb7b 4c8d3510ba0000 488b0d???????? eb6b e8???????? } // n = 7, score = 100 // 4c8d3528ba0000 | inc edx // 488b0d???????? | // eb7b | dec esp // 4c8d3510ba0000 | lea ebx, dword ptr [esp + 0x110] // 488b0d???????? | // eb6b | dec ecx // e8???????? | $sequence_35 = { 56 57 33ff 8db7d0a92300 ff36 e8???????? } // n = 6, score = 100 // 56 | push 0x104 // 57 | push 0x104 // 33ff | mov edi, eax // 8db7d0a92300 | push 0 // ff36 | push edi // e8???????? | $sequence_36 = { 488d3d94e80000 41b804010000 33c9 488bd7 } // n = 4, score = 100 // 488d3d94e80000 | inc eax // 41b804010000 | mov byte ptr [edx], dh // 33c9 | inc ecx // 488bd7 | cmp ecx, 0x100 $sequence_37 = { ff95dcfeffff 8985ecfeffff 6800800000 6804010000 } // n = 4, score = 100 // ff95dcfeffff | push 0x104 // 8985ecfeffff | mov edi, eax // 6800800000 | push 0 // 6804010000 | push edi $sequence_38 = { 8938 e8???????? 488d1d2baa0000 4885c0 } // n = 4, score = 100 // 8938 | add edx, eax // e8???????? | // 488d1d2baa0000 | inc ecx // 4885c0 | mov eax, ecx $sequence_39 = { 7516 488d0590a50000 488b4c2430 483bc8 7405 } // n = 5, score = 100 // 7516 | mov ebx, dword ptr [ebx + 0x10] // 488d0590a50000 | dec ecx // 488b4c2430 | mov ebp, dword ptr [ebx + 0x18] // 483bc8 | mov eax, edx // 7405 | shr eax, 0x1f $sequence_40 = { c3 4053 4883ec20 488bd9 e8???????? 488d054fae0000 488903 } // n = 7, score = 100 // c3 | lea edx, dword ptr [edx + edx*4] // 4053 | add edx, edx // 4883ec20 | dec esp // 488bd9 | add eax, eax // e8???????? | // 488d054fae0000 | inc ecx // 488903 | movzx eax, dl $sequence_41 = { 6a00 6804010000 8d85f0feffff 50 8b8dd8feffff } // n = 5, score = 100 // 6a00 | push 0 // 6804010000 | push eax // 8d85f0feffff | push 0x104 // 50 | push 0x104 // 8b8dd8feffff | mov edi, eax $sequence_42 = { 4803db 4c8d357ca40000 49833cde00 7407 } // n = 4, score = 100 // 4803db | jl 0xffffffa3 // 4c8d357ca40000 | dec eax // 49833cde00 | mov ebx, ebp // 7407 | test ebp, ebp $sequence_43 = { 48895f10 488d1517da0000 480f45d0 881f } // n = 4, score = 100 // 48895f10 | inc ebp // 488d1517da0000 | movzx ecx, byte ptr [eax] // 480f45d0 | dec eax // 881f | add edx, eax $sequence_44 = { 488b8eb8000000 4c8d352ca40000 f0ff09 7511 488b8eb8000000 493bce 7405 } // n = 7, score = 100 // 488b8eb8000000 | inc ecx // 4c8d352ca40000 | or edx, 0xffffff00 // f0ff09 | inc ecx // 7511 | inc edx // 488b8eb8000000 | movzx eax, cl // 493bce | dec esp // 7405 | lea eax, dword ptr [esp] condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY