There is no description at this point.
rule win_smac_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c40c 8bd8 8d45b4 c645fc0f e8???????? 6a01 } // n = 6, score = 200 // 83c40c | add esp, 0xc // 8bd8 | mov ebx, eax // 8d45b4 | lea eax, [ebp - 0x4c] // c645fc0f | mov byte ptr [ebp - 4], 0xf // e8???????? | // 6a01 | push 1 $sequence_1 = { 58 6a0d 668945f2 58 6a0a 668945f4 } // n = 6, score = 200 // 58 | pop eax // 6a0d | push 0xd // 668945f2 | mov word ptr [ebp - 0xe], ax // 58 | pop eax // 6a0a | push 0xa // 668945f4 | mov word ptr [ebp - 0xc], ax $sequence_2 = { 8d8560ffffff 50 8d7d98 c645fc0b } // n = 4, score = 200 // 8d8560ffffff | lea eax, [ebp - 0xa0] // 50 | push eax // 8d7d98 | lea edi, [ebp - 0x68] // c645fc0b | mov byte ptr [ebp - 4], 0xb $sequence_3 = { 50 6a01 ff9524fcffff 68e8030000 ff15???????? 6a5c 58 } // n = 7, score = 200 // 50 | push eax // 6a01 | push 1 // ff9524fcffff | call dword ptr [ebp - 0x3dc] // 68e8030000 | push 0x3e8 // ff15???????? | // 6a5c | push 0x5c // 58 | pop eax $sequence_4 = { 6a41 6689759e 5e 668975a0 6a2f 8bf0 668975a2 } // n = 7, score = 200 // 6a41 | push 0x41 // 6689759e | mov word ptr [ebp - 0x62], si // 5e | pop esi // 668975a0 | mov word ptr [ebp - 0x60], si // 6a2f | push 0x2f // 8bf0 | mov esi, eax // 668975a2 | mov word ptr [ebp - 0x5e], si $sequence_5 = { ff15???????? 6a01 8db3a4000000 33ff e8???????? 6a01 8d7374 } // n = 7, score = 200 // ff15???????? | // 6a01 | push 1 // 8db3a4000000 | lea esi, [ebx + 0xa4] // 33ff | xor edi, edi // e8???????? | // 6a01 | push 1 // 8d7374 | lea esi, [ebx + 0x74] $sequence_6 = { 50 ff7598 8d459c 50 8d7db8 c645fc0b e8???????? } // n = 7, score = 200 // 50 | push eax // ff7598 | push dword ptr [ebp - 0x68] // 8d459c | lea eax, [ebp - 0x64] // 50 | push eax // 8d7db8 | lea edi, [ebp - 0x48] // c645fc0b | mov byte ptr [ebp - 4], 0xb // e8???????? | $sequence_7 = { 83c40c 6804010000 8d85ecfdffff 50 68???????? ff15???????? 8d85ecfdffff } // n = 7, score = 200 // 83c40c | add esp, 0xc // 6804010000 | push 0x104 // 8d85ecfdffff | lea eax, [ebp - 0x214] // 50 | push eax // 68???????? | // ff15???????? | // 8d85ecfdffff | lea eax, [ebp - 0x214] $sequence_8 = { 668945d0 58 668945d2 6a4c } // n = 4, score = 200 // 668945d0 | mov word ptr [ebp - 0x30], ax // 58 | pop eax // 668945d2 | mov word ptr [ebp - 0x2e], ax // 6a4c | push 0x4c $sequence_9 = { 3d01010000 7d0d 8a4c181c 888860564100 40 ebe9 33c0 } // n = 7, score = 200 // 3d01010000 | cmp eax, 0x101 // 7d0d | jge 0xf // 8a4c181c | mov cl, byte ptr [eax + ebx + 0x1c] // 888860564100 | mov byte ptr [eax + 0x415660], cl // 40 | inc eax // ebe9 | jmp 0xffffffeb // 33c0 | xor eax, eax condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY