Actor(s): Pirate Panda
There is no description at this point.
rule win_usbferry_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.usbferry." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c645b077 c645b161 c645b272 c645b365 } // n = 4, score = 200 // c645b077 | mov byte ptr [ebp - 0x50], 0x77 // c645b161 | mov byte ptr [ebp - 0x4f], 0x61 // c645b272 | mov byte ptr [ebp - 0x4e], 0x72 // c645b365 | mov byte ptr [ebp - 0x4d], 0x65 $sequence_1 = { c685b0faffff20 c685b1faffff2d c685b2faffff66 c685b3faffff20 } // n = 4, score = 200 // c685b0faffff20 | mov byte ptr [ebp - 0x550], 0x20 // c685b1faffff2d | mov byte ptr [ebp - 0x54f], 0x2d // c685b2faffff66 | mov byte ptr [ebp - 0x54e], 0x66 // c685b3faffff20 | mov byte ptr [ebp - 0x54d], 0x20 $sequence_2 = { e8???????? 33c9 3bf0 5e } // n = 4, score = 200 // e8???????? | // 33c9 | xor ecx, ecx // 3bf0 | cmp esi, eax // 5e | pop esi $sequence_3 = { 8a4201 8885a0f5ffff 838590f5ffff01 80bda0f5ffff00 75e1 8bbd90f5ffff 8bb57cf5ffff } // n = 7, score = 200 // 8a4201 | mov al, byte ptr [edx + 1] // 8885a0f5ffff | mov byte ptr [ebp - 0xa60], al // 838590f5ffff01 | add dword ptr [ebp - 0xa70], 1 // 80bda0f5ffff00 | cmp byte ptr [ebp - 0xa60], 0 // 75e1 | jne 0xffffffe3 // 8bbd90f5ffff | mov edi, dword ptr [ebp - 0xa70] // 8bb57cf5ffff | mov esi, dword ptr [ebp - 0xa84] $sequence_4 = { e8???????? 59 8906 8a0f 47 } // n = 5, score = 200 // e8???????? | // 59 | pop ecx // 8906 | mov dword ptr [esi], eax // 8a0f | mov cl, byte ptr [edi] // 47 | inc edi $sequence_5 = { 40 d3e0 844415e0 7508 46 803e00 75da } // n = 7, score = 200 // 40 | inc eax // d3e0 | shl eax, cl // 844415e0 | test byte ptr [ebp + edx - 0x20], al // 7508 | jne 0xa // 46 | inc esi // 803e00 | cmp byte ptr [esi], 0 // 75da | jne 0xffffffdc $sequence_6 = { c645cb75 c645cc72 c645cd72 c645ce65 c645cf6e } // n = 5, score = 200 // c645cb75 | mov byte ptr [ebp - 0x35], 0x75 // c645cc72 | mov byte ptr [ebp - 0x34], 0x72 // c645cd72 | mov byte ptr [ebp - 0x33], 0x72 // c645ce65 | mov byte ptr [ebp - 0x32], 0x65 // c645cf6e | mov byte ptr [ebp - 0x31], 0x6e $sequence_7 = { c785dcf7ffff01000000 33d2 8995a0f7ffff 8995a4f7ffff 8995a8f7ffff 8995acf7ffff 8d85a0f7ffff } // n = 7, score = 200 // c785dcf7ffff01000000 | mov dword ptr [ebp - 0x824], 1 // 33d2 | xor edx, edx // 8995a0f7ffff | mov dword ptr [ebp - 0x860], edx // 8995a4f7ffff | mov dword ptr [ebp - 0x85c], edx // 8995a8f7ffff | mov dword ptr [ebp - 0x858], edx // 8995acf7ffff | mov dword ptr [ebp - 0x854], edx // 8d85a0f7ffff | lea eax, [ebp - 0x860] $sequence_8 = { 8b91f0000000 898118010000 8b09 e8???????? } // n = 4, score = 200 // 8b91f0000000 | mov edx, dword ptr [ecx + 0xf0] // 898118010000 | mov dword ptr [ecx + 0x118], eax // 8b09 | mov ecx, dword ptr [ecx] // e8???????? | $sequence_9 = { 0fb611 53 8a1e 0fb6c3 2bd0 7514 } // n = 6, score = 200 // 0fb611 | movzx edx, byte ptr [ecx] // 53 | push ebx // 8a1e | mov bl, byte ptr [esi] // 0fb6c3 | movzx eax, bl // 2bd0 | sub edx, eax // 7514 | jne 0x16 $sequence_10 = { c645b45c c645b54d c645b669 c645b763 } // n = 4, score = 200 // c645b45c | mov byte ptr [ebp - 0x4c], 0x5c // c645b54d | mov byte ptr [ebp - 0x4b], 0x4d // c645b669 | mov byte ptr [ebp - 0x4a], 0x69 // c645b763 | mov byte ptr [ebp - 0x49], 0x63 $sequence_11 = { ff7110 8b9160010000 898158010000 8b09 e8???????? } // n = 5, score = 200 // ff7110 | push dword ptr [ecx + 0x10] // 8b9160010000 | mov edx, dword ptr [ecx + 0x160] // 898158010000 | mov dword ptr [ecx + 0x158], eax // 8b09 | mov ecx, dword ptr [ecx] // e8???????? | $sequence_12 = { 51 8bce e8???????? 33c0 e8???????? c3 } // n = 6, score = 200 // 51 | push ecx // 8bce | mov ecx, esi // e8???????? | // 33c0 | xor eax, eax // e8???????? | // c3 | ret $sequence_13 = { c645ec66 c645ed6c c645ee61 c645ef73 c645f068 c645f15f } // n = 6, score = 200 // c645ec66 | mov byte ptr [ebp - 0x14], 0x66 // c645ed6c | mov byte ptr [ebp - 0x13], 0x6c // c645ee61 | mov byte ptr [ebp - 0x12], 0x61 // c645ef73 | mov byte ptr [ebp - 0x11], 0x73 // c645f068 | mov byte ptr [ebp - 0x10], 0x68 // c645f15f | mov byte ptr [ebp - 0xf], 0x5f $sequence_14 = { 6a00 8d85f5f7ffff 50 e8???????? 83c40c 8b4d08 51 } // n = 7, score = 200 // 6a00 | push 0 // 8d85f5f7ffff | lea eax, [ebp - 0x80b] // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 51 | push ecx $sequence_15 = { 6a03 83fb08 ba???????? 58 0f4dc1 8bce } // n = 6, score = 200 // 6a03 | push 3 // 83fb08 | cmp ebx, 8 // ba???????? | // 58 | pop eax // 0f4dc1 | cmovge eax, ecx // 8bce | mov ecx, esi condition: 7 of them and filesize < 638976 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY