There is no description at this point.
rule win_stuxnet_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.stuxnet." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b8???????? e8???????? 51 51 56 894df0 c701???????? } // n = 7, score = 200 // b8???????? | // e8???????? | // 51 | push ecx // 51 | push ecx // 56 | push esi // 894df0 | mov dword ptr [ebp - 0x10], ecx // c701???????? | $sequence_1 = { c645fc05 c645fc06 e8???????? 8b7810 c645fc04 8d45e4 50 } // n = 7, score = 200 // c645fc05 | mov byte ptr [ebp - 4], 5 // c645fc06 | mov byte ptr [ebp - 4], 6 // e8???????? | // 8b7810 | mov edi, dword ptr [eax + 0x10] // c645fc04 | mov byte ptr [ebp - 4], 4 // 8d45e4 | lea eax, [ebp - 0x1c] // 50 | push eax $sequence_2 = { c645fc01 85f6 7414 53 e8???????? c645fc02 8a431c } // n = 7, score = 200 // c645fc01 | mov byte ptr [ebp - 4], 1 // 85f6 | test esi, esi // 7414 | je 0x16 // 53 | push ebx // e8???????? | // c645fc02 | mov byte ptr [ebp - 4], 2 // 8a431c | mov al, byte ptr [ebx + 0x1c] $sequence_3 = { ff742414 e8???????? 5f 59 c20400 b8???????? e8???????? } // n = 7, score = 200 // ff742414 | push dword ptr [esp + 0x14] // e8???????? | // 5f | pop edi // 59 | pop ecx // c20400 | ret 4 // b8???????? | // e8???????? | $sequence_4 = { 33c0 75fc 8b450c 8b8d70ffffff 898880000000 83a578ffffff00 8b4588 } // n = 7, score = 200 // 33c0 | xor eax, eax // 75fc | jne 0xfffffffe // 8b450c | mov eax, dword ptr [ebp + 0xc] // 8b8d70ffffff | mov ecx, dword ptr [ebp - 0x90] // 898880000000 | mov dword ptr [eax + 0x80], ecx // 83a578ffffff00 | and dword ptr [ebp - 0x88], 0 // 8b4588 | mov eax, dword ptr [ebp - 0x78] $sequence_5 = { be00100000 56 33db 53 ff15???????? 8bf8 85ff } // n = 7, score = 200 // be00100000 | mov esi, 0x1000 // 56 | push esi // 33db | xor ebx, ebx // 53 | push ebx // ff15???????? | // 8bf8 | mov edi, eax // 85ff | test edi, edi $sequence_6 = { e8???????? 837da8ff 7599 8b4508 8b403c 33c9 85c0 } // n = 7, score = 200 // e8???????? | // 837da8ff | cmp dword ptr [ebp - 0x58], -1 // 7599 | jne 0xffffff9b // 8b4508 | mov eax, dword ptr [ebp + 8] // 8b403c | mov eax, dword ptr [eax + 0x3c] // 33c9 | xor ecx, ecx // 85c0 | test eax, eax $sequence_7 = { e8???????? 83c40c 837df400 8d45f0 50 7456 57 } // n = 7, score = 200 // e8???????? | // 83c40c | add esp, 0xc // 837df400 | cmp dword ptr [ebp - 0xc], 0 // 8d45f0 | lea eax, [ebp - 0x10] // 50 | push eax // 7456 | je 0x58 // 57 | push edi $sequence_8 = { eb02 33c0 c9 c3 55 8bec 837d1c00 } // n = 7, score = 200 // eb02 | jmp 4 // 33c0 | xor eax, eax // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 837d1c00 | cmp dword ptr [ebp + 0x1c], 0 $sequence_9 = { c20400 6a00 56 50 ff15???????? 3d02010000 74e8 } // n = 7, score = 200 // c20400 | ret 4 // 6a00 | push 0 // 56 | push esi // 50 | push eax // ff15???????? | // 3d02010000 | cmp eax, 0x102 // 74e8 | je 0xffffffea condition: 7 of them and filesize < 2495488 }
rule win_stuxnet_w0 { meta: author = "JAG-S (turla@chronicle.security)" hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579" description = "Stuxshop standalone sample configuration" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" malpedia_version = "20190418" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cnc1 = "http://211.24.237.226/index.php?data=" ascii wide $cnc2 = "http://todaysfutbol.com/index.php?data=" ascii wide $cnc3 = "http://78.111.169.146/index.php?data=" ascii wide $cnc4 = "http://mypremierfutbol.com/index.php?data=" ascii wide $regkey1 = "Software\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation" ascii wide $regkey2 = "NTVDMParams" ascii wide $flowerOverlap1 = { 85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15 } $flowerOverlap2 = { 85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15 } $flowerOverlap3 = { 55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 5068 19 00 02 00 6A 00 FF 75 0C FF 75 08 } $flowerOverlap4 = { 55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 } $flowerOverlap5 = { 85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06 } $flowerOverlap6 = { 85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15 } condition: all of ($flowerOverlap*) or 2 of ($cnc*) or all of ($regkey*) }
rule win_stuxnet_w1 { meta: author = "Silas Cutler (havex@Chronicle.Security)" desc = "Identifies the OS Check function in STUXSHOP and CheshireCat" hash = "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" malpedia_version = "20190418" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00 00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05 5E } $ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80 68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6 } condition: any of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY