There is no description at this point.
rule win_smac_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d8538fbffff 50 ffd6 6a43 58 6a6d 668945d8 } // n = 7, score = 200 // 8d8538fbffff | lea eax, [ebp - 0x4c8] // 50 | push eax // ffd6 | call esi // 6a43 | push 0x43 // 58 | pop eax // 6a6d | push 0x6d // 668945d8 | mov word ptr [ebp - 0x28], ax $sequence_1 = { 39bd78feffff 0f86b8000000 ffb578feffff e8???????? ffb578feffff 8bf0 57 } // n = 7, score = 200 // 39bd78feffff | cmp dword ptr [ebp - 0x188], edi // 0f86b8000000 | jbe 0xbe // ffb578feffff | push dword ptr [ebp - 0x188] // e8???????? | // ffb578feffff | push dword ptr [ebp - 0x188] // 8bf0 | mov esi, eax // 57 | push edi $sequence_2 = { 66894c244c 8d8b8c000000 c684245801000001 83791408 894c2420 897910 7202 } // n = 7, score = 200 // 66894c244c | mov word ptr [esp + 0x4c], cx // 8d8b8c000000 | lea ecx, [ebx + 0x8c] // c684245801000001 | mov byte ptr [esp + 0x158], 1 // 83791408 | cmp dword ptr [ecx + 0x14], 8 // 894c2420 | mov dword ptr [esp + 0x20], ecx // 897910 | mov dword ptr [ecx + 0x10], edi // 7202 | jb 4 $sequence_3 = { 8d8424cc040000 50 ffd6 83f8ff 7506 895c240c } // n = 6, score = 200 // 8d8424cc040000 | lea eax, [esp + 0x4cc] // 50 | push eax // ffd6 | call esi // 83f8ff | cmp eax, -1 // 7506 | jne 8 // 895c240c | mov dword ptr [esp + 0xc], ebx $sequence_4 = { 8bdf 66899d54ffffff 5b 66899d56ffffff 8bd8 66899d58ffffff 8bd9 } // n = 7, score = 200 // 8bdf | mov ebx, edi // 66899d54ffffff | mov word ptr [ebp - 0xac], bx // 5b | pop ebx // 66899d56ffffff | mov word ptr [ebp - 0xaa], bx // 8bd8 | mov ebx, eax // 66899d58ffffff | mov word ptr [ebp - 0xa8], bx // 8bd9 | mov ebx, ecx $sequence_5 = { 8a8230214100 884101 0fb645ff 8bd0 c1ea06 c1e702 0bd7 } // n = 7, score = 200 // 8a8230214100 | mov al, byte ptr [edx + 0x412130] // 884101 | mov byte ptr [ecx + 1], al // 0fb645ff | movzx eax, byte ptr [ebp - 1] // 8bd0 | mov edx, eax // c1ea06 | shr edx, 6 // c1e702 | shl edi, 2 // 0bd7 | or edx, edi $sequence_6 = { e8???????? 8d9d18f0ffff e8???????? 33db 43 53 8db5dcf0ffff } // n = 7, score = 200 // e8???????? | // 8d9d18f0ffff | lea ebx, [ebp - 0xfe8] // e8???????? | // 33db | xor ebx, ebx // 43 | inc ebx // 53 | push ebx // 8db5dcf0ffff | lea esi, [ebp - 0xf24] $sequence_7 = { 8d8424c0020000 50 8d842464020000 50 8d8424c8020000 50 ffd7 } // n = 7, score = 200 // 8d8424c0020000 | lea eax, [esp + 0x2c0] // 50 | push eax // 8d842464020000 | lea eax, [esp + 0x264] // 50 | push eax // 8d8424c8020000 | lea eax, [esp + 0x2c8] // 50 | push eax // ffd7 | call edi $sequence_8 = { 6a00 ff15???????? 6a10 68???????? } // n = 4, score = 200 // 6a00 | push 0 // ff15???????? | // 6a10 | push 0x10 // 68???????? | $sequence_9 = { ffb56cf4ffff ff15???????? ffb56cf4ffff ff15???????? 83bdf4f4ffff08 8b85e0f4ffff 7306 } // n = 7, score = 200 // ffb56cf4ffff | push dword ptr [ebp - 0xb94] // ff15???????? | // ffb56cf4ffff | push dword ptr [ebp - 0xb94] // ff15???????? | // 83bdf4f4ffff08 | cmp dword ptr [ebp - 0xb0c], 8 // 8b85e0f4ffff | mov eax, dword ptr [ebp - 0xb20] // 7306 | jae 8 condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY