There is no description at this point.
rule win_vhd_ransomware_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.vhd_ransomware." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a04 68???????? 50 ffd6 8b15???????? } // n = 5, score = 100 // 6a04 | push 4 // 68???????? | // 50 | push eax // ffd6 | call esi // 8b15???????? | $sequence_1 = { 68000000c0 68???????? ff15???????? 8bf8 893d???????? 83ffff 0f84c4000000 } // n = 7, score = 100 // 68000000c0 | push 0xc0000000 // 68???????? | // ff15???????? | // 8bf8 | mov edi, eax // 893d???????? | // 83ffff | cmp edi, -1 // 0f84c4000000 | je 0xca $sequence_2 = { 33ff 57 57 ff15???????? 85c0 0f8469010000 } // n = 6, score = 100 // 33ff | xor edi, edi // 57 | push edi // 57 | push edi // ff15???????? | // 85c0 | test eax, eax // 0f8469010000 | je 0x16f $sequence_3 = { 56 57 83fbff 7478 8b750c } // n = 5, score = 100 // 56 | push esi // 57 | push edi // 83fbff | cmp ebx, -1 // 7478 | je 0x7a // 8b750c | mov esi, dword ptr [ebp + 0xc] $sequence_4 = { 0f8491020000 8d9b00000000 8b4d1c 295ddc 8b4508 83f910 } // n = 6, score = 100 // 0f8491020000 | je 0x297 // 8d9b00000000 | lea ebx, [ebx] // 8b4d1c | mov ecx, dword ptr [ebp + 0x1c] // 295ddc | sub dword ptr [ebp - 0x24], ebx // 8b4508 | mov eax, dword ptr [ebp + 8] // 83f910 | cmp ecx, 0x10 $sequence_5 = { 833a00 7509 48 83ea04 83f801 7ff2 8945fc } // n = 7, score = 100 // 833a00 | cmp dword ptr [edx], 0 // 7509 | jne 0xb // 48 | dec eax // 83ea04 | sub edx, 4 // 83f801 | cmp eax, 1 // 7ff2 | jg 0xfffffff4 // 8945fc | mov dword ptr [ebp - 4], eax $sequence_6 = { 899485d4fcffff 40 83c104 3b85d0fcffff 7ceb 33c0 8d4b04 } // n = 7, score = 100 // 899485d4fcffff | mov dword ptr [ebp + eax*4 - 0x32c], edx // 40 | inc eax // 83c104 | add ecx, 4 // 3b85d0fcffff | cmp eax, dword ptr [ebp - 0x330] // 7ceb | jl 0xffffffed // 33c0 | xor eax, eax // 8d4b04 | lea ecx, [ebx + 4] $sequence_7 = { 39852c030000 7e14 8d4e04 8b948530030000 } // n = 4, score = 100 // 39852c030000 | cmp dword ptr [ebp + 0x32c], eax // 7e14 | jle 0x16 // 8d4e04 | lea ecx, [esi + 4] // 8b948530030000 | mov edx, dword ptr [ebp + eax*4 + 0x330] $sequence_8 = { 8d57fe 83c010 83fa3c 0f820dfdffff 8b01 } // n = 5, score = 100 // 8d57fe | lea edx, [edi - 2] // 83c010 | add eax, 0x10 // 83fa3c | cmp edx, 0x3c // 0f820dfdffff | jb 0xfffffd13 // 8b01 | mov eax, dword ptr [ecx] $sequence_9 = { 893c86 40 83e904 3bc2 7cf3 33c0 b9c8000000 } // n = 7, score = 100 // 893c86 | mov dword ptr [esi + eax*4], edi // 40 | inc eax // 83e904 | sub ecx, 4 // 3bc2 | cmp eax, edx // 7cf3 | jl 0xfffffff5 // 33c0 | xor eax, eax // b9c8000000 | mov ecx, 0xc8 condition: 7 of them and filesize < 275456 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY