Actor(s): Pirate Panda
There is no description at this point.
rule win_usbferry_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.usbferry." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c685abfaffff6b c685acfaffff6b c685adfaffff69 c685aefaffff6c c685affaffff6c } // n = 5, score = 200 // c685abfaffff6b | mov byte ptr [ebp - 0x555], 0x6b // c685acfaffff6b | mov byte ptr [ebp - 0x554], 0x6b // c685adfaffff69 | mov byte ptr [ebp - 0x553], 0x69 // c685aefaffff6c | mov byte ptr [ebp - 0x552], 0x6c // c685affaffff6c | mov byte ptr [ebp - 0x551], 0x6c $sequence_1 = { 75a5 8b4dfc 8b45f8 8b5718 2bd0 84db } // n = 6, score = 200 // 75a5 | jne 0xffffffa7 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b5718 | mov edx, dword ptr [edi + 0x18] // 2bd0 | sub edx, eax // 84db | test bl, bl $sequence_2 = { 3c2d 7501 42 33c0 eb11 80fb39 } // n = 6, score = 200 // 3c2d | cmp al, 0x2d // 7501 | jne 3 // 42 | inc edx // 33c0 | xor eax, eax // eb11 | jmp 0x13 // 80fb39 | cmp bl, 0x39 $sequence_3 = { 83c40c 6a00 6a00 8d8da4f5ffff 51 } // n = 5, score = 200 // 83c40c | add esp, 0xc // 6a00 | push 0 // 6a00 | push 0 // 8d8da4f5ffff | lea ecx, [ebp - 0xa5c] // 51 | push ecx $sequence_4 = { c645ec66 c645ed6c c645ee61 c645ef73 } // n = 4, score = 200 // c645ec66 | mov byte ptr [ebp - 0x14], 0x66 // c645ed6c | mov byte ptr [ebp - 0x13], 0x6c // c645ee61 | mov byte ptr [ebp - 0x12], 0x61 // c645ef73 | mov byte ptr [ebp - 0x11], 0x73 $sequence_5 = { 742c 8b4de0 51 ff15???????? c745c000000000 } // n = 5, score = 200 // 742c | je 0x2e // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] // 51 | push ecx // ff15???????? | // c745c000000000 | mov dword ptr [ebp - 0x40], 0 $sequence_6 = { 8bc7 5f 99 f7ff } // n = 4, score = 200 // 8bc7 | mov eax, edi // 5f | pop edi // 99 | cdq // f7ff | idiv edi $sequence_7 = { 898154010000 8b09 e8???????? 8b0d???????? ff7110 8b9160010000 } // n = 6, score = 200 // 898154010000 | mov dword ptr [ecx + 0x154], eax // 8b09 | mov ecx, dword ptr [ecx] // e8???????? | // 8b0d???????? | // ff7110 | push dword ptr [ecx + 0x10] // 8b9160010000 | mov edx, dword ptr [ecx + 0x160] $sequence_8 = { 8b5d08 56 57 8bf9 0fb637 47 8d46bf } // n = 7, score = 200 // 8b5d08 | mov ebx, dword ptr [ebp + 8] // 56 | push esi // 57 | push edi // 8bf9 | mov edi, ecx // 0fb637 | movzx esi, byte ptr [edi] // 47 | inc edi // 8d46bf | lea eax, [esi - 0x41] $sequence_9 = { 8a02 8b742414 84c0 7407 8807 e9???????? } // n = 6, score = 200 // 8a02 | mov al, byte ptr [edx] // 8b742414 | mov esi, dword ptr [esp + 0x14] // 84c0 | test al, al // 7407 | je 9 // 8807 | mov byte ptr [edi], al // e9???????? | $sequence_10 = { e8???????? 8b0d???????? 83c440 ff7110 8b91d0000000 } // n = 5, score = 200 // e8???????? | // 8b0d???????? | // 83c440 | add esp, 0x40 // ff7110 | push dword ptr [ecx + 0x10] // 8b91d0000000 | mov edx, dword ptr [ecx + 0xd0] $sequence_11 = { ff5060 ff75e0 8b0d???????? ff514c c3 } // n = 5, score = 200 // ff5060 | call dword ptr [eax + 0x60] // ff75e0 | push dword ptr [ebp - 0x20] // 8b0d???????? | // ff514c | call dword ptr [ecx + 0x4c] // c3 | ret $sequence_12 = { 6a01 8d85a8faffff 50 e8???????? 83c408 } // n = 5, score = 200 // 6a01 | push 1 // 8d85a8faffff | lea eax, [ebp - 0x558] // 50 | push eax // e8???????? | // 83c408 | add esp, 8 $sequence_13 = { 85c0 7422 c745d000000000 6afe 8d55f0 52 } // n = 6, score = 200 // 85c0 | test eax, eax // 7422 | je 0x24 // c745d000000000 | mov dword ptr [ebp - 0x30], 0 // 6afe | push -2 // 8d55f0 | lea edx, [ebp - 0x10] // 52 | push edx $sequence_14 = { 8b8588f5ffff 89857cf5ffff 899578f5ffff 8d8da8faffff } // n = 4, score = 200 // 8b8588f5ffff | mov eax, dword ptr [ebp - 0xa78] // 89857cf5ffff | mov dword ptr [ebp - 0xa84], eax // 899578f5ffff | mov dword ptr [ebp - 0xa88], edx // 8d8da8faffff | lea ecx, [ebp - 0x558] $sequence_15 = { 6a00 8d85f5f7ffff 50 e8???????? 83c40c } // n = 5, score = 200 // 6a00 | push 0 // 8d85f5f7ffff | lea eax, [ebp - 0x80b] // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc condition: 7 of them and filesize < 638976 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY