SYMBOLCOMMON_NAMEaka. SYNONYMS
win.slave (Back to overview)

Slave


There is no description at this point.

References
2015-03-07CERT.PLŁukasz Siewierski
@online{siewierski:20150307:slave:fa94a3f, author = {Łukasz Siewierski}, title = {{Slave, Banatrix and ransomware}}, date = {2015-03-07}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/}, language = {English}, urldate = {2019-11-23} } Slave, Banatrix and ransomware
Slave
Yara Rules
[TLP:WHITE] win_slave_auto (20220808 | Detects win.slave.)
rule win_slave_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.slave."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03da c1c00a c1c90d 33c8 895dd8 8b45f8 }
            // n = 6, score = 300
            //   03da                 | add                 ebx, edx
            //   c1c00a               | rol                 eax, 0xa
            //   c1c90d               | ror                 ecx, 0xd
            //   33c8                 | xor                 ecx, eax
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_1 = { 747b 83ff04 7619 33c0 8d4ffc 8945ec 813c300d0a0d0a }
            // n = 7, score = 300
            //   747b                 | je                  0x7d
            //   83ff04               | cmp                 edi, 4
            //   7619                 | jbe                 0x1b
            //   33c0                 | xor                 eax, eax
            //   8d4ffc               | lea                 ecx, [edi - 4]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   813c300d0a0d0a       | cmp                 dword ptr [eax + esi], 0xa0d0a0d

        $sequence_2 = { 46 83fe1c 7d22 8b4dfc ebce 33c0 3bd9 }
            // n = 7, score = 300
            //   46                   | inc                 esi
            //   83fe1c               | cmp                 esi, 0x1c
            //   7d22                 | jge                 0x24
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   ebce                 | jmp                 0xffffffd0
            //   33c0                 | xor                 eax, eax
            //   3bd9                 | cmp                 ebx, ecx

        $sequence_3 = { 57 e8???????? 8b45f8 2bc6 83e802 50 8b45fc }
            // n = 7, score = 300
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   2bc6                 | sub                 eax, esi
            //   83e802               | sub                 eax, 2
            //   50                   | push                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_4 = { 0f846e240000 8a9608010000 80faff 7314 0fb6c2 b900010000 2bc8 }
            // n = 7, score = 300
            //   0f846e240000         | je                  0x2474
            //   8a9608010000         | mov                 dl, byte ptr [esi + 0x108]
            //   80faff               | cmp                 dl, 0xff
            //   7314                 | jae                 0x16
            //   0fb6c2               | movzx               eax, dl
            //   b900010000           | mov                 ecx, 0x100
            //   2bc8                 | sub                 ecx, eax

        $sequence_5 = { 837df000 0f84e92e0000 8a9608010000 80faff 0f83e2fdffff 0fb6c2 b900010000 }
            // n = 7, score = 300
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0
            //   0f84e92e0000         | je                  0x2eef
            //   8a9608010000         | mov                 dl, byte ptr [esi + 0x108]
            //   80faff               | cmp                 dl, 0xff
            //   0f83e2fdffff         | jae                 0xfffffde8
            //   0fb6c2               | movzx               eax, dl
            //   b900010000           | mov                 ecx, 0x100

        $sequence_6 = { 83872801000002 83c302 5e 5f 8bc3 5b 5d }
            // n = 7, score = 300
            //   83872801000002       | add                 dword ptr [edi + 0x128], 2
            //   83c302               | add                 ebx, 2
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp

        $sequence_7 = { 57 8b7d0c 83fb05 0f869f000000 813f47455420 7416 813f504f5354 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   83fb05               | cmp                 ebx, 5
            //   0f869f000000         | jbe                 0xa5
            //   813f47455420         | cmp                 dword ptr [edi], 0x20544547
            //   7416                 | je                  0x18
            //   813f504f5354         | cmp                 dword ptr [edi], 0x54534f50

        $sequence_8 = { 8ac2 c0e003 80e107 0ac8 888e84030000 33c9 8b4768 }
            // n = 7, score = 300
            //   8ac2                 | mov                 al, dl
            //   c0e003               | shl                 al, 3
            //   80e107               | and                 cl, 7
            //   0ac8                 | or                  cl, al
            //   888e84030000         | mov                 byte ptr [esi + 0x384], cl
            //   33c9                 | xor                 ecx, ecx
            //   8b4768               | mov                 eax, dword ptr [edi + 0x68]

        $sequence_9 = { 0f841c270000 80fd0f 0f85ec020000 8b5d0c 8d4201 8a2b 43 }
            // n = 7, score = 300
            //   0f841c270000         | je                  0x2722
            //   80fd0f               | cmp                 ch, 0xf
            //   0f85ec020000         | jne                 0x2f2
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   8d4201               | lea                 eax, [edx + 1]
            //   8a2b                 | mov                 ch, byte ptr [ebx]
            //   43                   | inc                 ebx

    condition:
        7 of them and filesize < 532480
}
Download all Yara Rules