Ransomware.
rule win_void_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.void." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c785d4fbffff0f000000 c685c0fbffff00 e8???????? 6a0c 68???????? 8d8dd8fbffff } // n = 6, score = 200 // c785d4fbffff0f000000 | mov dword ptr [ebp - 0x42c], 0xf // c685c0fbffff00 | mov byte ptr [ebp - 0x440], 0 // e8???????? | // 6a0c | push 0xc // 68???????? | // 8d8dd8fbffff | lea ecx, [ebp - 0x428] $sequence_1 = { c744f80400000000 ff4610 836c241801 8b5610 0f8579ffffff b901000000 8b7b5c } // n = 7, score = 200 // c744f80400000000 | mov dword ptr [eax + edi*8 + 4], 0 // ff4610 | inc dword ptr [esi + 0x10] // 836c241801 | sub dword ptr [esp + 0x18], 1 // 8b5610 | mov edx, dword ptr [esi + 0x10] // 0f8579ffffff | jne 0xffffff7f // b901000000 | mov ecx, 1 // 8b7b5c | mov edi, dword ptr [ebx + 0x5c] $sequence_2 = { ff74243c ff928c000000 8b74241c 8bc8 894c2410 85c9 0f85a1000000 } // n = 7, score = 200 // ff74243c | push dword ptr [esp + 0x3c] // ff928c000000 | call dword ptr [edx + 0x8c] // 8b74241c | mov esi, dword ptr [esp + 0x1c] // 8bc8 | mov ecx, eax // 894c2410 | mov dword ptr [esp + 0x10], ecx // 85c9 | test ecx, ecx // 0f85a1000000 | jne 0xa7 $sequence_3 = { 8b7c243c 2bc3 c1e002 8944244c 8d0c38 c7043800000000 894c2444 } // n = 7, score = 200 // 8b7c243c | mov edi, dword ptr [esp + 0x3c] // 2bc3 | sub eax, ebx // c1e002 | shl eax, 2 // 8944244c | mov dword ptr [esp + 0x4c], eax // 8d0c38 | lea ecx, [eax + edi] // c7043800000000 | mov dword ptr [eax + edi], 0 // 894c2444 | mov dword ptr [esp + 0x44], ecx $sequence_4 = { 8bfa 8bf1 e8???????? 83c40c 85c0 740e 893e } // n = 7, score = 200 // 8bfa | mov edi, edx // 8bf1 | mov esi, ecx // e8???????? | // 83c40c | add esp, 0xc // 85c0 | test eax, eax // 740e | je 0x10 // 893e | mov dword ptr [esi], edi $sequence_5 = { 23ce 89442434 8bc7 23c3 89542454 0bc8 c1c205 } // n = 7, score = 200 // 23ce | and ecx, esi // 89442434 | mov dword ptr [esp + 0x34], eax // 8bc7 | mov eax, edi // 23c3 | and eax, ebx // 89542454 | mov dword ptr [esp + 0x54], edx // 0bc8 | or ecx, eax // c1c205 | rol edx, 5 $sequence_6 = { e8???????? 8b4b44 8b4608 8d0445ffffffff 23c1 89460c 8b7e10 } // n = 7, score = 200 // e8???????? | // 8b4b44 | mov ecx, dword ptr [ebx + 0x44] // 8b4608 | mov eax, dword ptr [esi + 8] // 8d0445ffffffff | lea eax, [eax*2 - 1] // 23c1 | and eax, ecx // 89460c | mov dword ptr [esi + 0xc], eax // 8b7e10 | mov edi, dword ptr [esi + 0x10] $sequence_7 = { 8b01 6a01 ff10 8b7ddc 8d4dd0 8b75e0 51 } // n = 7, score = 200 // 8b01 | mov eax, dword ptr [ecx] // 6a01 | push 1 // ff10 | call dword ptr [eax] // 8b7ddc | mov edi, dword ptr [ebp - 0x24] // 8d4dd0 | lea ecx, [ebp - 0x30] // 8b75e0 | mov esi, dword ptr [ebp - 0x20] // 51 | push ecx $sequence_8 = { 8bbd6cffffff 8b8d68ffffff 8b55b4 8b4590 c60700 8901 83fa10 } // n = 7, score = 200 // 8bbd6cffffff | mov edi, dword ptr [ebp - 0x94] // 8b8d68ffffff | mov ecx, dword ptr [ebp - 0x98] // 8b55b4 | mov edx, dword ptr [ebp - 0x4c] // 8b4590 | mov eax, dword ptr [ebp - 0x70] // c60700 | mov byte ptr [edi], 0 // 8901 | mov dword ptr [ecx], eax // 83fa10 | cmp edx, 0x10 $sequence_9 = { e8???????? 8d460c c745fc00000000 50 8d45dc 50 8d4dc4 } // n = 7, score = 200 // e8???????? | // 8d460c | lea eax, [esi + 0xc] // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 50 | push eax // 8d45dc | lea eax, [ebp - 0x24] // 50 | push eax // 8d4dc4 | lea ecx, [ebp - 0x3c] condition: 7 of them and filesize < 2744320 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY