There is no description at this point.
rule win_stuxnet_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.stuxnet." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ebd4 8d450c 50 e8???????? c645fc03 e8???????? 8bb0ac050000 } // n = 7, score = 200 // ebd4 | jmp 0xffffffd6 // 8d450c | lea eax, [ebp + 0xc] // 50 | push eax // e8???????? | // c645fc03 | mov byte ptr [ebp - 4], 3 // e8???????? | // 8bb0ac050000 | mov esi, dword ptr [eax + 0x5ac] $sequence_1 = { 8d8dccfeffff e8???????? 834dfcff e9???????? 68fa000000 ff15???????? eb80 } // n = 7, score = 200 // 8d8dccfeffff | lea ecx, [ebp - 0x134] // e8???????? | // 834dfcff | or dword ptr [ebp - 4], 0xffffffff // e9???????? | // 68fa000000 | push 0xfa // ff15???????? | // eb80 | jmp 0xffffff82 $sequence_2 = { 8d45bc 50 e8???????? c3 b8???????? e9???????? 8d45d8 } // n = 7, score = 200 // 8d45bc | lea eax, [ebp - 0x44] // 50 | push eax // e8???????? | // c3 | ret // b8???????? | // e9???????? | // 8d45d8 | lea eax, [ebp - 0x28] $sequence_3 = { e8???????? c3 b8???????? e9???????? 8d45ac 50 e8???????? } // n = 7, score = 200 // e8???????? | // c3 | ret // b8???????? | // e9???????? | // 8d45ac | lea eax, [ebp - 0x54] // 50 | push eax // e8???????? | $sequence_4 = { 395870 7404 804e1110 e8???????? 84c0 7504 804e1104 } // n = 7, score = 200 // 395870 | cmp dword ptr [eax + 0x70], ebx // 7404 | je 6 // 804e1110 | or byte ptr [esi + 0x11], 0x10 // e8???????? | // 84c0 | test al, al // 7504 | jne 6 // 804e1104 | or byte ptr [esi + 0x11], 4 $sequence_5 = { c21000 b8???????? e8???????? 83ec5c 8365f000 53 56 } // n = 7, score = 200 // c21000 | ret 0x10 // b8???????? | // e8???????? | // 83ec5c | sub esp, 0x5c // 8365f000 | and dword ptr [ebp - 0x10], 0 // 53 | push ebx // 56 | push esi $sequence_6 = { 7431 8d75f8 e8???????? 8b400c 3b450c 7407 e8???????? } // n = 7, score = 200 // 7431 | je 0x33 // 8d75f8 | lea esi, [ebp - 8] // e8???????? | // 8b400c | mov eax, dword ptr [eax + 0xc] // 3b450c | cmp eax, dword ptr [ebp + 0xc] // 7407 | je 9 // e8???????? | $sequence_7 = { e8???????? 837c241000 59 59 0f95c0 59 } // n = 6, score = 200 // e8???????? | // 837c241000 | cmp dword ptr [esp + 0x10], 0 // 59 | pop ecx // 59 | pop ecx // 0f95c0 | setne al // 59 | pop ecx $sequence_8 = { c684245401000007 8d44242c 50 e8???????? c684245401000008 6a00 6a01 } // n = 7, score = 200 // c684245401000007 | mov byte ptr [esp + 0x154], 7 // 8d44242c | lea eax, [esp + 0x2c] // 50 | push eax // e8???????? | // c684245401000008 | mov byte ptr [esp + 0x154], 8 // 6a00 | push 0 // 6a01 | push 1 $sequence_9 = { e8???????? ff75ec e8???????? b001 eb06 834dfcff 32c0 } // n = 7, score = 200 // e8???????? | // ff75ec | push dword ptr [ebp - 0x14] // e8???????? | // b001 | mov al, 1 // eb06 | jmp 8 // 834dfcff | or dword ptr [ebp - 4], 0xffffffff // 32c0 | xor al, al condition: 7 of them and filesize < 2495488 }
rule win_stuxnet_w0 { meta: author = "JAG-S (turla@chronicle.security)" hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579" description = "Stuxshop standalone sample configuration" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" malpedia_version = "20190418" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide $regkey1 = "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide $regkey2 = "NTVDMParams" ascii wide $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 } $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 } $flowerOverlap3 = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 } $flowerOverlap4 = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 } $flowerOverlap5 = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 } $flowerOverlap6 = { 85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 } condition: all of ($flowerOverlap*) or 2 of ($cnc*) or all of ($regkey*) }
rule win_stuxnet_w1 { meta: author = "Silas Cutler (havex@Chronicle.Security)" desc = "Identifies the OS Check function in STUXSHOP and CheshireCat" hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" malpedia_version = "20190418" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E } $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 } condition: any of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY