There is no description at this point.
There are currently no references.
rule win_skyplex_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.skyplex." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 52 e8???????? 83c408 85c0 7430 68???????? } // n = 6, score = 100 // 52 | push edx // e8???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax // 7430 | je 0x32 // 68???????? | $sequence_1 = { 68???????? 8d9538f7ffff 52 e8???????? 83c408 85c0 0f8490000000 } // n = 7, score = 100 // 68???????? | // 8d9538f7ffff | lea edx, [ebp - 0x8c8] // 52 | push edx // e8???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax // 0f8490000000 | je 0x96 $sequence_2 = { 8d45fc 50 8d8d30ffffff 51 ff15???????? 8d9530ffffff 52 } // n = 7, score = 100 // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // 8d8d30ffffff | lea ecx, [ebp - 0xd0] // 51 | push ecx // ff15???????? | // 8d9530ffffff | lea edx, [ebp - 0xd0] // 52 | push edx $sequence_3 = { 85c0 0f85d0000000 68???????? 8d85b0f9ffff 50 e8???????? } // n = 6, score = 100 // 85c0 | test eax, eax // 0f85d0000000 | jne 0xd6 // 68???????? | // 8d85b0f9ffff | lea eax, [ebp - 0x650] // 50 | push eax // e8???????? | $sequence_4 = { 89430c 8d4310 8d89649c4100 5a 668b31 } // n = 5, score = 100 // 89430c | mov dword ptr [ebx + 0xc], eax // 8d4310 | lea eax, [ebx + 0x10] // 8d89649c4100 | lea ecx, [ecx + 0x419c64] // 5a | pop edx // 668b31 | mov si, word ptr [ecx] $sequence_5 = { 8d95b0f9ffff 52 e8???????? 83c408 85c0 } // n = 5, score = 100 // 8d95b0f9ffff | lea edx, [ebp - 0x650] // 52 | push edx // e8???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax $sequence_6 = { 83c201 88953ff6ffff 8d8d38f6ffff e8???????? 0fb6853ff6ffff } // n = 5, score = 100 // 83c201 | add edx, 1 // 88953ff6ffff | mov byte ptr [ebp - 0x9c1], dl // 8d8d38f6ffff | lea ecx, [ebp - 0x9c8] // e8???????? | // 0fb6853ff6ffff | movzx eax, byte ptr [ebp - 0x9c1] $sequence_7 = { 752b e8???????? 0fb6d0 85d2 } // n = 4, score = 100 // 752b | jne 0x2d // e8???????? | // 0fb6d0 | movzx edx, al // 85d2 | test edx, edx $sequence_8 = { 8b36 8bce c1f905 8b0c8dc0af4100 83e61f c1e606 89040e } // n = 7, score = 100 // 8b36 | mov esi, dword ptr [esi] // 8bce | mov ecx, esi // c1f905 | sar ecx, 5 // 8b0c8dc0af4100 | mov ecx, dword ptr [ecx*4 + 0x41afc0] // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 89040e | mov dword ptr [esi + ecx], eax $sequence_9 = { c7851cf7ffff04000000 c78520f7ffffb0454100 c78524f7ffffe8454100 c78528f7ffff30464100 c7852cf7ffff80464100 } // n = 5, score = 100 // c7851cf7ffff04000000 | mov dword ptr [ebp - 0x8e4], 4 // c78520f7ffffb0454100 | mov dword ptr [ebp - 0x8e0], 0x4145b0 // c78524f7ffffe8454100 | mov dword ptr [ebp - 0x8dc], 0x4145e8 // c78528f7ffff30464100 | mov dword ptr [ebp - 0x8d8], 0x414630 // c7852cf7ffff80464100 | mov dword ptr [ebp - 0x8d4], 0x414680 condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY