Actor(s): Pirate Panda
There is no description at this point.
rule win_usbferry_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.usbferry." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 741c 807f013a 7516 8b85acfaffff } // n = 4, score = 200 // 741c | je 0x1e // 807f013a | cmp byte ptr [edi + 1], 0x3a // 7516 | jne 0x18 // 8b85acfaffff | mov eax, dword ptr [ebp - 0x554] $sequence_1 = { 837d1404 7547 6a04 8d4d1c } // n = 4, score = 200 // 837d1404 | cmp dword ptr [ebp + 0x14], 4 // 7547 | jne 0x49 // 6a04 | push 4 // 8d4d1c | lea ecx, dword ptr [ebp + 0x1c] $sequence_2 = { 0f85dc000000 83bd64ffffff04 0f86cf000000 83bd64ffffff05 } // n = 4, score = 200 // 0f85dc000000 | jne 0xe2 // 83bd64ffffff04 | cmp dword ptr [ebp - 0x9c], 4 // 0f86cf000000 | jbe 0xd5 // 83bd64ffffff05 | cmp dword ptr [ebp - 0x9c], 5 $sequence_3 = { c645b365 c645b45c c645b54d c645b669 c645b763 } // n = 5, score = 200 // c645b365 | mov byte ptr [ebp - 0x4d], 0x65 // c645b45c | mov byte ptr [ebp - 0x4c], 0x5c // c645b54d | mov byte ptr [ebp - 0x4b], 0x4d // c645b669 | mov byte ptr [ebp - 0x4a], 0x69 // c645b763 | mov byte ptr [ebp - 0x49], 0x63 $sequence_4 = { 57 8bc2 894dfc 8a2d???????? } // n = 4, score = 200 // 57 | push edi // 8bc2 | mov eax, edx // 894dfc | mov dword ptr [ebp - 4], ecx // 8a2d???????? | $sequence_5 = { 89857cf5ffff 899578f5ffff 8d8da8faffff 83c1ff 898d90f5ffff 8b9590f5ffff } // n = 6, score = 200 // 89857cf5ffff | mov dword ptr [ebp - 0xa84], eax // 899578f5ffff | mov dword ptr [ebp - 0xa88], edx // 8d8da8faffff | lea ecx, dword ptr [ebp - 0x558] // 83c1ff | add ecx, -1 // 898d90f5ffff | mov dword ptr [ebp - 0xa70], ecx // 8b9590f5ffff | mov edx, dword ptr [ebp - 0xa70] $sequence_6 = { 741b ffb5b4faffff 8b8db0faffff ffb5acfaffff } // n = 4, score = 200 // 741b | je 0x1d // ffb5b4faffff | push dword ptr [ebp - 0x54c] // 8b8db0faffff | mov ecx, dword ptr [ebp - 0x550] // ffb5acfaffff | push dword ptr [ebp - 0x554] $sequence_7 = { 741d 6a0a 5e 8bc1 } // n = 4, score = 200 // 741d | je 0x1f // 6a0a | push 0xa // 5e | pop esi // 8bc1 | mov eax, ecx $sequence_8 = { c645d569 c645d66f c645d76e c645d85c c645d957 c645da69 } // n = 6, score = 200 // c645d569 | mov byte ptr [ebp - 0x2b], 0x69 // c645d66f | mov byte ptr [ebp - 0x2a], 0x6f // c645d76e | mov byte ptr [ebp - 0x29], 0x6e // c645d85c | mov byte ptr [ebp - 0x28], 0x5c // c645d957 | mov byte ptr [ebp - 0x27], 0x57 // c645da69 | mov byte ptr [ebp - 0x26], 0x69 $sequence_9 = { 03f7 8a03 84c0 7446 2bde } // n = 5, score = 200 // 03f7 | add esi, edi // 8a03 | mov al, byte ptr [ebx] // 84c0 | test al, al // 7446 | je 0x48 // 2bde | sub ebx, esi $sequence_10 = { 50 e8???????? 83c408 c645ac53 c645ad6f c645ae66 } // n = 6, score = 200 // 50 | push eax // e8???????? | // 83c408 | add esp, 8 // c645ac53 | mov byte ptr [ebp - 0x54], 0x53 // c645ad6f | mov byte ptr [ebp - 0x53], 0x6f // c645ae66 | mov byte ptr [ebp - 0x52], 0x66 $sequence_11 = { 6a00 6a00 8d8da4f5ffff 51 } // n = 4, score = 200 // 6a00 | push 0 // 6a00 | push 0 // 8d8da4f5ffff | lea ecx, dword ptr [ebp - 0xa5c] // 51 | push ecx $sequence_12 = { c645c36f c645c477 c645c573 c645c620 c645c74e c645c854 c645c95c } // n = 7, score = 200 // c645c36f | mov byte ptr [ebp - 0x3d], 0x6f // c645c477 | mov byte ptr [ebp - 0x3c], 0x77 // c645c573 | mov byte ptr [ebp - 0x3b], 0x73 // c645c620 | mov byte ptr [ebp - 0x3a], 0x20 // c645c74e | mov byte ptr [ebp - 0x39], 0x4e // c645c854 | mov byte ptr [ebp - 0x38], 0x54 // c645c95c | mov byte ptr [ebp - 0x37], 0x5c $sequence_13 = { 3a1a 7507 41 42 } // n = 4, score = 200 // 3a1a | cmp bl, byte ptr [edx] // 7507 | jne 9 // 41 | inc ecx // 42 | inc edx $sequence_14 = { 8b5508 52 ff15???????? 85c0 7422 } // n = 5, score = 200 // 8b5508 | mov edx, dword ptr [ebp + 8] // 52 | push edx // ff15???????? | // 85c0 | test eax, eax // 7422 | je 0x24 $sequence_15 = { 57 8b7d08 8d4de8 0f28cb 8955e4 897de0 } // n = 6, score = 200 // 57 | push edi // 8b7d08 | mov edi, dword ptr [ebp + 8] // 8d4de8 | lea ecx, dword ptr [ebp - 0x18] // 0f28cb | movaps xmm1, xmm3 // 8955e4 | mov dword ptr [ebp - 0x1c], edx // 897de0 | mov dword ptr [ebp - 0x20], edi condition: 7 of them and filesize < 638976 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY