There is no description at this point.
rule win_udpos_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.udpos." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 89bde0fbffff 8b3d???????? 51 ffd7 8b95e0fbffff 52 } // n = 6, score = 100 // 89bde0fbffff | mov dword ptr [ebp - 0x420], edi // 8b3d???????? | // 51 | push ecx // ffd7 | call edi // 8b95e0fbffff | mov edx, dword ptr [ebp - 0x420] // 52 | push edx $sequence_1 = { 0fb671fd 8858fd 8bde c1eb04 0fb65c1de8 8858fa } // n = 6, score = 100 // 0fb671fd | movzx esi, byte ptr [ecx - 3] // 8858fd | mov byte ptr [eax - 3], bl // 8bde | mov ebx, esi // c1eb04 | shr ebx, 4 // 0fb65c1de8 | movzx ebx, byte ptr [ebp + ebx - 0x18] // 8858fa | mov byte ptr [eax - 6], bl $sequence_2 = { e8???????? 68???????? be02000000 a3???????? e8???????? 68???????? be22000000 } // n = 7, score = 100 // e8???????? | // 68???????? | // be02000000 | mov esi, 2 // a3???????? | // e8???????? | // 68???????? | // be22000000 | mov esi, 0x22 $sequence_3 = { ffd6 8d95ecf6ffff 52 8d85e0f8ffff 50 ffd6 8d8db4f7ffff } // n = 7, score = 100 // ffd6 | call esi // 8d95ecf6ffff | lea edx, [ebp - 0x914] // 52 | push edx // 8d85e0f8ffff | lea eax, [ebp - 0x720] // 50 | push eax // ffd6 | call esi // 8d8db4f7ffff | lea ecx, [ebp - 0x84c] $sequence_4 = { 53 8d8df4fdffff 51 ff15???????? 85c0 7503 8d7801 } // n = 7, score = 100 // 53 | push ebx // 8d8df4fdffff | lea ecx, [ebp - 0x20c] // 51 | push ecx // ff15???????? | // 85c0 | test eax, eax // 7503 | jne 5 // 8d7801 | lea edi, [eax + 1] $sequence_5 = { 3bc6 7e15 85c0 7e11 } // n = 4, score = 100 // 3bc6 | cmp eax, esi // 7e15 | jle 0x17 // 85c0 | test eax, eax // 7e11 | jle 0x13 $sequence_6 = { 85c0 7e0e 83f804 7e09 8b15???????? 8b7210 } // n = 6, score = 100 // 85c0 | test eax, eax // 7e0e | jle 0x10 // 83f804 | cmp eax, 4 // 7e09 | jle 0xb // 8b15???????? | // 8b7210 | mov esi, dword ptr [edx + 0x10] $sequence_7 = { c1c802 8bf1 8945f4 8955f8 f7d6 } // n = 5, score = 100 // c1c802 | ror eax, 2 // 8bf1 | mov esi, ecx // 8945f4 | mov dword ptr [ebp - 0xc], eax // 8955f8 | mov dword ptr [ebp - 8], edx // f7d6 | not esi $sequence_8 = { 6a00 51 e8???????? 68f4010000 8d95c8fcffff 6a00 52 } // n = 7, score = 100 // 6a00 | push 0 // 51 | push ecx // e8???????? | // 68f4010000 | push 0x1f4 // 8d95c8fcffff | lea edx, [ebp - 0x338] // 6a00 | push 0 // 52 | push edx $sequence_9 = { 83f801 741a 81fe84030000 7d12 68e8030000 } // n = 5, score = 100 // 83f801 | cmp eax, 1 // 741a | je 0x1c // 81fe84030000 | cmp esi, 0x384 // 7d12 | jge 0x14 // 68e8030000 | push 0x3e8 condition: 7 of them and filesize < 163840 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY