SYMBOLCOMMON_NAMEaka. SYNONYMS
win.startpage (Back to overview)

StartPage

aka: Easy Television Access Now

Potentially unwanted program that changes the startpage of browsers to induce ad impressions.

References
2017-04-17Bleeping ComputerBleepingComputer
@online{bleepingcomputer:20170417:remove:4727489, author = {BleepingComputer}, title = {{Remove Search.searchetan.com Chrome New Tab Page}}, date = {2017-04-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page}, language = {English}, urldate = {2020-01-06} } Remove Search.searchetan.com Chrome New Tab Page
StartPage
Yara Rules
[TLP:WHITE] win_startpage_auto (20220808 | Detects win.startpage.)
rule win_startpage_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.startpage."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8955fc 8b32 85f6 0f84ba000000 53 57 8b7a04 }
            // n = 7, score = 200
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b32                 | mov                 esi, dword ptr [edx]
            //   85f6                 | test                esi, esi
            //   0f84ba000000         | je                  0xc0
            //   53                   | push                ebx
            //   57                   | push                edi
            //   8b7a04               | mov                 edi, dword ptr [edx + 4]

        $sequence_1 = { c20800 6a00 b8???????? e8???????? 8bf1 8b5508 85d2 }
            // n = 7, score = 200
            //   c20800               | ret                 8
            //   6a00                 | push                0
            //   b8????????           |                     
            //   e8????????           |                     
            //   8bf1                 | mov                 esi, ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   85d2                 | test                edx, edx

        $sequence_2 = { 53 8bcf e8???????? 53 ba???????? 895df0 8d4dec }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   53                   | push                ebx
            //   ba????????           |                     
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_3 = { ff37 8b35???????? ff75fc 53 50 ff750c }
            // n = 6, score = 200
            //   ff37                 | push                dword ptr [edi]
            //   8b35????????         |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_4 = { 0f8578010000 8d8d80feffff e8???????? 8d8d80feffff e8???????? 84c0 0f845a010000 }
            // n = 7, score = 200
            //   0f8578010000         | jne                 0x17e
            //   8d8d80feffff         | lea                 ecx, [ebp - 0x180]
            //   e8????????           |                     
            //   8d8d80feffff         | lea                 ecx, [ebp - 0x180]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f845a010000         | je                  0x160

        $sequence_5 = { 68ec010000 b8???????? e8???????? 8bd9 6a00 ff15???????? 85c0 }
            // n = 7, score = 200
            //   68ec010000           | push                0x1ec
            //   b8????????           |                     
            //   e8????????           |                     
            //   8bd9                 | mov                 ebx, ecx
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 7549 895df0 895dfc 8b07 ff5010 8d55f0 52 }
            // n = 7, score = 200
            //   7549                 | jne                 0x4b
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   8d55f0               | lea                 edx, [ebp - 0x10]
            //   52                   | push                edx

        $sequence_7 = { ff15???????? 8907 663918 7419 8a55af 8a45ad }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8907                 | mov                 dword ptr [edi], eax
            //   663918               | cmp                 word ptr [eax], bx
            //   7419                 | je                  0x1b
            //   8a55af               | mov                 dl, byte ptr [ebp - 0x51]
            //   8a45ad               | mov                 al, byte ptr [ebp - 0x53]

        $sequence_8 = { ff30 ff75ec e8???????? c645fc01 8b4d08 8d49f0 e8???????? }
            // n = 7, score = 200
            //   ff30                 | push                dword ptr [eax]
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   e8????????           |                     
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d49f0               | lea                 ecx, [ecx - 0x10]
            //   e8????????           |                     

        $sequence_9 = { 33c0 40 6a7d 59 66390f 0f85a4faffff eb18 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   6a7d                 | push                0x7d
            //   59                   | pop                 ecx
            //   66390f               | cmp                 word ptr [edi], cx
            //   0f85a4faffff         | jne                 0xfffffaaa
            //   eb18                 | jmp                 0x1a

    condition:
        7 of them and filesize < 2277376
}
Download all Yara Rules