Actor(s): Turla Group
There is no description at this point.
rule win_skipper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.skipper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6a00 6a03 68???????? 68???????? 6a50 } // n = 6, score = 600 // 6a00 | add eax, esi // 6a00 | inc ecx // 6a03 | and eax, 0x800000ff // 68???????? | // 68???????? | // 6a50 | jge 0x19 $sequence_1 = { ff15???????? 6a00 6a00 6a00 6a00 50 } // n = 6, score = 500 // ff15???????? | // 6a00 | push 3 // 6a00 | push 0x50 // 6a00 | add esp, 4 // 6a00 | push 0 // 50 | push 0x64 $sequence_2 = { 59 5d c3 55 8bec 33c0 50 } // n = 7, score = 500 // 59 | push edx // 5d | push eax // c3 | add esp, 4 // 55 | push 0 // 8bec | push 0x64 // 33c0 | push edx // 50 | push eax $sequence_3 = { e8???????? 6804010000 e8???????? 6804010000 8bf8 6a00 } // n = 6, score = 500 // e8???????? | // 6804010000 | push eax // e8???????? | // 6804010000 | add esp, 4 // 8bf8 | push 0 // 6a00 | push 0x64 $sequence_4 = { 41 0fb6840dfcfeffff 0385f8feffff 898df4feffff 25ff000080 7907 } // n = 6, score = 400 // 41 | push 0 // 0fb6840dfcfeffff | push 0 // 0385f8feffff | push 0 // 898df4feffff | push eax // 25ff000080 | push ebx // 7907 | push esi $sequence_5 = { 53 56 57 6804010000 c644241300 e8???????? } // n = 6, score = 400 // 53 | movzx edx, byte ptr [ebp + ecx - 0x110] // 56 | movzx eax, byte ptr [ebp - 4] // 57 | movzx ecx, byte ptr [ebp + eax - 0x110] // 6804010000 | add edx, ecx // c644241300 | and edx, 0x800000ff // e8???????? | $sequence_6 = { 6804010000 6a00 57 e8???????? 6a32 6a00 } // n = 6, score = 400 // 6804010000 | xor edx, eax // 6a00 | mov ecx, dword ptr [ebp + 0x18] // 57 | add ecx, dword ptr [ebp - 0x124] // e8???????? | // 6a32 | mov byte ptr [ecx], dl // 6a00 | jge 0xd5 $sequence_7 = { 03d8 03d9 81e3ff000080 7908 4b } // n = 5, score = 400 // 03d8 | mov eax, dword ptr [ebp - 8] // 03d9 | add eax, 1 // 81e3ff000080 | and eax, 0x800000ff // 7908 | jns 0x14 // 4b | dec eax $sequence_8 = { 6800308000 6a00 6a00 68???????? } // n = 4, score = 300 // 6800308000 | push 0 // 6a00 | push eax // 6a00 | push 0 // 68???????? | $sequence_9 = { 83c404 6a00 6a64 52 } // n = 4, score = 300 // 83c404 | add edx, eax // 6a00 | movzx eax, byte ptr [edx] // 6a64 | inc ecx // 52 | mov byte ptr [eax], al $sequence_10 = { 4833cc e8???????? 4c8d9c2410010000 498b5b10 498b6b18 498b7320 498b7b28 } // n = 7, score = 200 // 4833cc | movzx ecx, byte ptr [eax] // e8???????? | // 4c8d9c2410010000 | sar edx, 2 // 498b5b10 | mov eax, edx // 498b6b18 | shr eax, 0x1f // 498b7320 | add edx, eax // 498b7b28 | inc ecx $sequence_11 = { 0f8dcf000000 8b45f8 83c001 25ff000080 7907 48 } // n = 6, score = 200 // 0f8dcf000000 | push edi // 8b45f8 | lea eax, [ebp - 0x110] // 83c001 | push eax // 25ff000080 | ret // 7907 | mov eax, dword ptr [ecx*8 + 0x23a7ac] // 48 | pop ebp $sequence_12 = { 410fb6c0 488d1424 41ffc1 4803d0 } // n = 4, score = 200 // 410fb6c0 | mov eax, 0x800 // 488d1424 | dec eax // 41ffc1 | mov ebx, eax // 4803d0 | dec eax $sequence_13 = { 85ed 0f8e8e000000 492bfb ffc1 } // n = 4, score = 200 // 85ed | dec ecx // 0f8e8e000000 | sub eax, esi // 492bfb | dec eax // ffc1 | sar eax, 1 $sequence_14 = { 0fb6c1 4c8d0424 488d1424 4c03c0 410fb6c2 450fb608 } // n = 6, score = 200 // 0fb6c1 | lea edx, [0xb282] // 4c8d0424 | dec eax // 488d1424 | sar eax, 5 // 4c03c0 | and ecx, 0x1f // 410fb6c2 | dec esp // 450fb608 | lea eax, [0x9809] $sequence_15 = { 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff e9???????? } // n = 7, score = 200 // 8b85e0feffff | mov al, byte ptr [ebx] // 8a8c15f0feffff | mov eax, ebx // 888c05f0feffff | xor eax, eax // 0fb695e8feffff | mov dword ptr [ebp - 0x1c], esi // 8a85effeffff | xor eax, eax // 888415f0feffff | cmp dword ptr [eax + 0x23a6b8], edi // e9???????? | $sequence_16 = { 4833c4 4889842400010000 4c8b9c2440010000 33c9 4963e9 } // n = 5, score = 200 // 4833c4 | mov eax, ecx // 4889842400010000 | lea edx, [edx + edx*4] // 4c8b9c2440010000 | test ebp, ebp // 33c9 | jle 0x94 // 4963e9 | dec ecx $sequence_17 = { 68???????? a1???????? 50 68???????? e8???????? 83c414 } // n = 6, score = 200 // 68???????? | // a1???????? | // 50 | cmp byte ptr [ebp - 0x135], 0 // 68???????? | // e8???????? | // 83c414 | jne 0xffffffe3 $sequence_18 = { 8a8c05f0feffff 888deffeffff 0fb695e8feffff 8b85e0feffff 8a8c15f0feffff 888c05f0feffff } // n = 6, score = 200 // 8a8c05f0feffff | and esi, 0x1f // 888deffeffff | shl esi, 6 // 0fb695e8feffff | add esi, dword ptr [eax*4 + 0x23b720] // 8b85e0feffff | mov eax, dword ptr [ebp - 0x1c] // 8a8c15f0feffff | mov eax, dword ptr [eax] // 888c05f0feffff | mov dword ptr [esi], eax $sequence_19 = { 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff 03d1 81e2ff000080 } // n = 5, score = 200 // 0fb6940df0feffff | xor ecx, ecx // 0fb645fc | cmp eax, dword ptr [ecx*8 + 0x23a7a8] // 0fb68c05f0feffff | je 0x23 // 03d1 | mov eax, dword ptr [ebp - 4] // 81e2ff000080 | push dword ptr [eax*8 + 0x23a91c] $sequence_20 = { 4403c0 4403c6 4181e0ff000080 7d0d 41ffc8 } // n = 5, score = 200 // 4403c0 | sub edi, ebx // 4403c6 | inc ecx // 4181e0ff000080 | sub eax, edx // 7d0d | dec eax // 41ffc8 | arpl ax, dx $sequence_21 = { 33d0 8b4d18 038ddcfeffff 8811 } // n = 4, score = 200 // 33d0 | push ebx // 8b4d18 | push edi // 038ddcfeffff | xor eax, ebp // 8811 | mov dword ptr [ebp - 4], eax $sequence_22 = { 8a8415f0feffff 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 0fb685eefeffff 33d0 } // n = 7, score = 200 // 8a8415f0feffff | push 0x104 // 8885eefeffff | push 0 // 8b4d10 | push edi // 038ddcfeffff | push 0x32 // 0fbe11 | push 0 // 0fb685eefeffff | add ebx, eax // 33d0 | add ebx, ecx $sequence_23 = { c1fa02 8bc2 c1e81f 03d0 418bc1 8d1492 } // n = 6, score = 200 // c1fa02 | dec eax // 8bc2 | lea ecx, [ecx + eax*2] // c1e81f | inc ecx // 03d0 | mov ecx, 3 // 418bc1 | dec eax // 8d1492 | mov eax, ecx $sequence_24 = { 2bc2 4863d0 420fb60432 4403c0 4403c6 } // n = 5, score = 200 // 2bc2 | jne 0xf9 // 4863d0 | dec eax // 420fb60432 | lea ecx, [0x5920] // 4403c0 | xor edx, edx // 4403c6 | inc ecx $sequence_25 = { e9???????? c785dcfeffff00000000 eb0f 8b8ddcfeffff } // n = 4, score = 200 // e9???????? | // c785dcfeffff00000000 | and ebx, 0x800000ff // eb0f | jns 0x12 // 8b8ddcfeffff | dec ebx $sequence_26 = { 488bc8 ff15???????? 488d15e1580000 488bcb 488905???????? ff15???????? 488bc8 } // n = 7, score = 100 // 488bc8 | dec eax // ff15???????? | // 488d15e1580000 | mov ecx, eax // 488bcb | dec eax // 488905???????? | // ff15???????? | // 488bc8 | lea edx, [0x58e1] $sequence_27 = { 80bdcbfeffff00 75e1 8bbdccfeffff 8b0d???????? 890f 8b15???????? 895704 } // n = 7, score = 100 // 80bdcbfeffff00 | add eax, esi // 75e1 | inc ecx // 8bbdccfeffff | inc eax // 8b0d???????? | // 890f | inc ecx // 8b15???????? | // 895704 | movzx eax, al $sequence_28 = { 8bc3 e8???????? 33c0 e9???????? 8975e4 33c0 39b8b8a62300 } // n = 7, score = 100 // 8bc3 | inc edx // e8???????? | // 33c0 | movzx eax, byte ptr [edx + esi] // e9???????? | // 8975e4 | inc esp // 33c0 | add eax, eax // 39b8b8a62300 | inc esp $sequence_29 = { 83c205 8d0c07 81f904010000 8b4dec 72c0 6804010000 e8???????? } // n = 7, score = 100 // 83c205 | push ebx // 8d0c07 | push eax // 81f904010000 | push 0 // 8b4dec | push 0 // 72c0 | push 3 // 6804010000 | push 0x50 // e8???????? | $sequence_30 = { 0f85f3000000 488d0d20590000 33d2 41b800080000 ff15???????? 488bd8 } // n = 6, score = 100 // 0f85f3000000 | mov edx, ecx // 488d0d20590000 | jne 0xe // 33d2 | dec eax // 41b800080000 | lea ecx, [0xe9ee] // ff15???????? | // 488bd8 | jmp 0x10 $sequence_31 = { 83c404 83bc24a800000010 c78424f00000000f000000 c78424ec00000000000000 c68424dc00000000 720f ffb42494000000 } // n = 7, score = 100 // 83c404 | push 0 // 83bc24a800000010 | push 0x104 // c78424f00000000f000000 | push 0x104 // c78424ec00000000000000 | mov edi, eax // c68424dc00000000 | push 0 // 720f | push edi // ffb42494000000 | push 0x50 $sequence_32 = { ffd6 e8???????? e9???????? 6804010000 e8???????? 83c404 } // n = 6, score = 100 // ffd6 | push 0 // e8???????? | // e9???????? | // 6804010000 | push 0 // e8???????? | // 83c404 | push 0 $sequence_33 = { 488d0559900000 488981a0000000 83611000 c7411c01000000 c781c800000001000000 b843000000 } // n = 6, score = 100 // 488d0559900000 | dec eax // 488981a0000000 | mov ecx, ebx // 83611000 | dec eax // c7411c01000000 | mov ecx, eax // c781c800000001000000 | dec eax // b843000000 | lea eax, [0x9059] $sequence_34 = { 488b442450 488d0d54a90000 488b0cc1 4c8d4c244c 488d9520060000 498b0c0c } // n = 6, score = 100 // 488b442450 | mov eax, 0x43 // 488d0d54a90000 | dec esp // 488b0cc1 | lea esi, [0xa47c] // 4c8d4c244c | dec ecx // 488d9520060000 | cmp dword ptr [esi + ebx*8], 0 // 498b0c0c | je 0xe $sequence_35 = { 89442420 488bd1 7509 488d0deee90000 eb02 } // n = 5, score = 100 // 89442420 | mov eax, 1 // 488bd1 | jmp 0x6a // 7509 | dec eax // 488d0deee90000 | mov eax, dword ptr [esp + 0x50] // eb02 | dec eax $sequence_36 = { 4c8d0509980000 488d0c41 41b903000000 488bc1 492bc6 48d1f8 } // n = 6, score = 100 // 4c8d0509980000 | dec eax // 488d0c41 | lea edx, [ebp + 0x620] // 41b903000000 | dec ecx // 488bc1 | mov ecx, dword ptr [esp + ecx] // 492bc6 | mov dword ptr [esp + 0x20], eax // 48d1f8 | dec eax $sequence_37 = { 8888b0a52300 40 ebe6 ff35???????? } // n = 4, score = 100 // 8888b0a52300 | mov dword ptr [esp + 0x100], eax // 40 | dec esp // ebe6 | mov ebx, dword ptr [esp + 0x140] // ff35???????? | $sequence_38 = { 55 8bec 8b4508 33c9 3b04cda8a72300 7413 } // n = 6, score = 100 // 55 | dec eax // 8bec | lea edx, [esp] // 8b4508 | inc ecx // 33c9 | inc ecx // 3b04cda8a72300 | dec eax // 7413 | xor ecx, esp $sequence_39 = { c3 8b04cdaca72300 5d c3 } // n = 4, score = 100 // c3 | mov edi, dword ptr [ebx + 0x28] // 8b04cdaca72300 | dec eax // 5d | xor eax, esp // c3 | dec eax $sequence_40 = { a1???????? 33c5 8945fc 57 8d85f0feffff 50 } // n = 6, score = 100 // a1???????? | // 33c5 | dec ecx // 8945fc | mov ebp, dword ptr [ebx + 0x18] // 57 | dec ecx // 8d85f0feffff | mov esi, dword ptr [ebx + 0x20] // 50 | dec ecx $sequence_41 = { 488bcb 488bc3 488d1582b20000 48c1f805 83e11f } // n = 5, score = 100 // 488bcb | lea ecx, [0xa954] // 488bc3 | dec eax // 488d1582b20000 | mov ecx, dword ptr [ecx + eax*8] // 48c1f805 | dec esp // 83e11f | lea ecx, [esp + 0x4c] $sequence_42 = { 8b45fc ff34c51ca92300 53 57 } // n = 4, score = 100 // 8b45fc | dec esp // ff34c51ca92300 | lea ebx, [esp + 0x110] // 53 | dec ecx // 57 | mov ebx, dword ptr [ebx + 0x10] $sequence_43 = { 4c8d357ca40000 49833cde00 7407 b801000000 eb5c } // n = 5, score = 100 // 4c8d357ca40000 | dec eax // 49833cde00 | mov dword ptr [ecx + 0xa0], eax // 7407 | and dword ptr [ecx + 0x10], 0 // b801000000 | mov dword ptr [ecx + 0x1c], 1 // eb5c | mov dword ptr [ecx + 0xc8], 1 $sequence_44 = { 83e61f c1e606 03348520b72300 8b45e4 8b00 8906 8a03 } // n = 7, score = 100 // 83e61f | arpl ax, dx // c1e606 | inc edx // 03348520b72300 | movzx eax, byte ptr [edx + esi] // 8b45e4 | add edx, edx // 8b00 | sub eax, edx // 8906 | dec eax // 8a03 | arpl ax, dx condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY