Actor(s): DragonOK
There is no description at this point.
rule win_sysget_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.sysget." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6800100000 50 57 8906 } // n = 4, score = 400 // 6800100000 | push 0x1000 // 50 | push eax // 57 | push edi // 8906 | mov dword ptr [esi], eax $sequence_1 = { c705????????01000000 33c0 68fe070000 50 } // n = 4, score = 400 // c705????????01000000 | // 33c0 | xor eax, eax // 68fe070000 | push 0x7fe // 50 | push eax $sequence_2 = { 53 50 885dcc e8???????? b9???????? 8bc1 83c40c } // n = 7, score = 400 // 53 | push ebx // 50 | push eax // 885dcc | mov byte ptr [ebp - 0x34], bl // e8???????? | // b9???????? | // 8bc1 | mov eax, ecx // 83c40c | add esp, 0xc $sequence_3 = { 889dd4fdffff e8???????? 68f9000000 8d8501ffffff 53 50 } // n = 6, score = 400 // 889dd4fdffff | mov byte ptr [ebp - 0x22c], bl // e8???????? | // 68f9000000 | push 0xf9 // 8d8501ffffff | lea eax, [ebp - 0xff] // 53 | push ebx // 50 | push eax $sequence_4 = { 83c702 6685c0 75f4 4b 53 8d85e4fbffff } // n = 6, score = 400 // 83c702 | add edi, 2 // 6685c0 | test ax, ax // 75f4 | jne 0xfffffff6 // 4b | dec ebx // 53 | push ebx // 8d85e4fbffff | lea eax, [ebp - 0x41c] $sequence_5 = { 56 57 6a00 8bd8 ff15???????? 56 } // n = 6, score = 400 // 56 | push esi // 57 | push edi // 6a00 | push 0 // 8bd8 | mov ebx, eax // ff15???????? | // 56 | push esi $sequence_6 = { 8d85ecf1ffff 50 e8???????? 834dfcff 83c40c b8???????? } // n = 6, score = 400 // 8d85ecf1ffff | lea eax, [ebp - 0xe14] // 50 | push eax // e8???????? | // 834dfcff | or dword ptr [ebp - 4], 0xffffffff // 83c40c | add esp, 0xc // b8???????? | $sequence_7 = { 68fe000000 668985ecfeffff 8d85eefeffff 57 50 e8???????? 8dbdecfeffff } // n = 7, score = 400 // 68fe000000 | push 0xfe // 668985ecfeffff | mov word ptr [ebp - 0x114], ax // 8d85eefeffff | lea eax, [ebp - 0x112] // 57 | push edi // 50 | push eax // e8???????? | // 8dbdecfeffff | lea edi, [ebp - 0x114] $sequence_8 = { 8d45e4 50 895de4 895ddc 895de0 } // n = 5, score = 400 // 8d45e4 | lea eax, [ebp - 0x1c] // 50 | push eax // 895de4 | mov dword ptr [ebp - 0x1c], ebx // 895ddc | mov dword ptr [ebp - 0x24], ebx // 895de0 | mov dword ptr [ebp - 0x20], ebx $sequence_9 = { c1e902 f3a5 8bc8 8d85ecf1ffff 83e103 } // n = 5, score = 400 // c1e902 | shr ecx, 2 // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8bc8 | mov ecx, eax // 8d85ecf1ffff | lea eax, [ebp - 0xe14] // 83e103 | and ecx, 3 condition: 7 of them and filesize < 352256 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY