Actor(s): Comment Crew
There is no description at this point.
rule win_webc2_div_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.webc2_div." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5f e9???????? 6a3c 51 e9???????? 85c0 0f842c010000 } // n = 7, score = 100 // 5f | pop edi // e9???????? | // 6a3c | push 0x3c // 51 | push ecx // e9???????? | // 85c0 | test eax, eax // 0f842c010000 | je 0x132 $sequence_1 = { 81c2b4000000 69d260ea0000 895604 eb73 8d4505 50 } // n = 6, score = 100 // 81c2b4000000 | add edx, 0xb4 // 69d260ea0000 | imul edx, edx, 0xea60 // 895604 | mov dword ptr [esi + 4], edx // eb73 | jmp 0x75 // 8d4505 | lea eax, [ebp + 5] // 50 | push eax $sequence_2 = { ff15???????? ff7508 8b35???????? 85c0 7512 } // n = 5, score = 100 // ff15???????? | // ff7508 | push dword ptr [ebp + 8] // 8b35???????? | // 85c0 | test eax, eax // 7512 | jne 0x14 $sequence_3 = { 771a 8b442414 0540f087fc 50 ffd5 015c2410 8144241460ce5800 } // n = 7, score = 100 // 771a | ja 0x1c // 8b442414 | mov eax, dword ptr [esp + 0x14] // 0540f087fc | add eax, 0xfc87f040 // 50 | push eax // ffd5 | call ebp // 015c2410 | add dword ptr [esp + 0x10], ebx // 8144241460ce5800 | add dword ptr [esp + 0x14], 0x58ce60 $sequence_4 = { 894508 7509 57 ff15???????? eb54 a0???????? } // n = 6, score = 100 // 894508 | mov dword ptr [ebp + 8], eax // 7509 | jne 0xb // 57 | push edi // ff15???????? | // eb54 | jmp 0x56 // a0???????? | $sequence_5 = { 894c243c ff15???????? 85c0 5f 750a } // n = 5, score = 100 // 894c243c | mov dword ptr [esp + 0x3c], ecx // ff15???????? | // 85c0 | test eax, eax // 5f | pop edi // 750a | jne 0xc $sequence_6 = { f7d1 2bf9 8d95f0feffff 8bf7 8bfa 8bd1 } // n = 6, score = 100 // f7d1 | not ecx // 2bf9 | sub edi, ecx // 8d95f0feffff | lea edx, [ebp - 0x110] // 8bf7 | mov esi, edi // 8bfa | mov edi, edx // 8bd1 | mov edx, ecx $sequence_7 = { f7d1 49 8bf1 8d7e01 } // n = 4, score = 100 // f7d1 | not ecx // 49 | dec ecx // 8bf1 | mov esi, ecx // 8d7e01 | lea edi, [esi + 1] $sequence_8 = { 8885ecf9ffff 33c0 8dbdedf9ffff 8975f8 f3ab } // n = 5, score = 100 // 8885ecf9ffff | mov byte ptr [ebp - 0x614], al // 33c0 | xor eax, eax // 8dbdedf9ffff | lea edi, [ebp - 0x613] // 8975f8 | mov dword ptr [ebp - 8], esi // f3ab | rep stosd dword ptr es:[edi], eax $sequence_9 = { 8bc5 bb16000000 99 f7ff 8bc1 8d3c9510114000 99 } // n = 7, score = 100 // 8bc5 | mov eax, ebp // bb16000000 | mov ebx, 0x16 // 99 | cdq // f7ff | idiv edi // 8bc1 | mov eax, ecx // 8d3c9510114000 | lea edi, [edx*4 + 0x401110] // 99 | cdq condition: 7 of them and filesize < 32768 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY