Actor(s): Axiom
There is no description at this point.
rule win_winnti_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.winnti." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 8b4b44 8b5348 8b6b14 33ff 8d3401 } // n = 6, score = 200 // 57 | push edi // 8b4b44 | mov ecx, dword ptr [ebx + 0x44] // 8b5348 | mov edx, dword ptr [ebx + 0x48] // 8b6b14 | mov ebp, dword ptr [ebx + 0x14] // 33ff | xor edi, edi // 8d3401 | lea esi, [ecx + eax] $sequence_1 = { 50 ffd5 e9???????? 66397c241a 750f } // n = 5, score = 200 // 50 | push eax // ffd5 | call ebp // e9???????? | // 66397c241a | cmp word ptr [esp + 0x1a], di // 750f | jne 0x11 $sequence_2 = { 7706 397c2424 7679 a1???????? 85c0 7470 } // n = 6, score = 200 // 7706 | ja 8 // 397c2424 | cmp dword ptr [esp + 0x24], edi // 7679 | jbe 0x7b // a1???????? | // 85c0 | test eax, eax // 7470 | je 0x72 $sequence_3 = { 3bc3 0f8508010000 33c0 8bfd 83c9ff 89442410 } // n = 6, score = 200 // 3bc3 | cmp eax, ebx // 0f8508010000 | jne 0x10e // 33c0 | xor eax, eax // 8bfd | mov edi, ebp // 83c9ff | or ecx, 0xffffffff // 89442410 | mov dword ptr [esp + 0x10], eax $sequence_4 = { 83ec10 56 57 6a00 6a01 8bf1 } // n = 6, score = 200 // 83ec10 | sub esp, 0x10 // 56 | push esi // 57 | push edi // 6a00 | push 0 // 6a01 | push 1 // 8bf1 | mov esi, ecx $sequence_5 = { 51 52 68???????? 8d84243c020000 6800020000 } // n = 5, score = 200 // 51 | push ecx // 52 | push edx // 68???????? | // 8d84243c020000 | lea eax, [esp + 0x23c] // 6800020000 | push 0x200 $sequence_6 = { 56 8bf1 8b4624 85c0 740e } // n = 5, score = 200 // 56 | push esi // 8bf1 | mov esi, ecx // 8b4624 | mov eax, dword ptr [esi + 0x24] // 85c0 | test eax, eax // 740e | je 0x10 $sequence_7 = { ffd5 8b44241c 3d08020000 7387 3bc7 } // n = 5, score = 200 // ffd5 | call ebp // 8b44241c | mov eax, dword ptr [esp + 0x1c] // 3d08020000 | cmp eax, 0x208 // 7387 | jae 0xffffff89 // 3bc7 | cmp eax, edi $sequence_8 = { 8943f8 8b42f4 8943fc 8b42f8 8903 } // n = 5, score = 100 // 8943f8 | je 0x79 // 8b42f4 | nop // 8943fc | dec eax // 8b42f8 | lea ecx, [0x8262] // 8903 | dec eax $sequence_9 = { 7525 488bc8 ff15???????? 488bc8 } // n = 4, score = 100 // 7525 | mov ebx, dword ptr [esp + 0x50] // 488bc8 | mov eax, 0xfffffffe // ff15???????? | // 488bc8 | inc ecx $sequence_10 = { 418800 4180fa0f 0f8625feffff 41800801 e9???????? 488b742428 } // n = 6, score = 100 // 418800 | mov eax, 0x28 // 4180fa0f | dec eax // 0f8625feffff | mov edi, dword ptr [esp + 0x58] // 41800801 | mov dword ptr [ebx + 0x14], 0xfffffffe // e9???????? | // 488b742428 | mov eax, 0xfffffffe $sequence_11 = { b801000080 0fa2 f7c200001020 895c2404 488b5c2420 } // n = 5, score = 100 // b801000080 | mov byte ptr [eax], al // 0fa2 | inc ecx // f7c200001020 | cmp dl, 0xf // 895c2404 | jbe 0xfffffe2f // 488b5c2420 | inc ecx $sequence_12 = { 498bd4 488bcd e8???????? 85c0 751a 488d1500720000 41b810200100 } // n = 7, score = 100 // 498bd4 | dec ebp // 488bcd | lea esp, [ebp + 0x40] // e8???????? | // 85c0 | dec ebp // 751a | test esp, esp // 488d1500720000 | dec ecx // 41b810200100 | mov ebp, esp $sequence_13 = { 75d2 488b4e50 e8???????? 4c396e58 } // n = 4, score = 100 // 75d2 | add esp, 0x20 // 488b4e50 | inc ecx // e8???????? | // 4c396e58 | pop edi $sequence_14 = { 488bda 8bf9 0f858a000000 488bca e8???????? 488d1578c50a00 } // n = 6, score = 100 // 488bda | jne 0x37 // 8bf9 | inc ecx // 0f858a000000 | cmp ecx, 0x30 // 488bca | jne 0x31 // e8???????? | // 488d1578c50a00 | dec esp $sequence_15 = { 4889442468 0fb68540050000 4c8d1d27390000 4c8d442430 48894588 498b4640 } // n = 6, score = 100 // 4889442468 | lea eax, [ebx + 0x18] // 0fb68540050000 | dec eax // 4c8d1d27390000 | lea edx, [ebx + 0x20] // 4c8d442430 | dec eax // 48894588 | mov ecx, ebp // 498b4640 | mov eax, 0x80000001 $sequence_16 = { 7423 488d78f8 4c8d0da8e9ffff 448b07 ba38000000 488bc8 } // n = 6, score = 100 // 7423 | test eax, eax // 488d78f8 | dec eax // 4c8d0da8e9ffff | mov dword ptr [ebp + 0x10f0], eax // 448b07 | je 0xf5 // ba38000000 | dec eax // 488bc8 | mov ecx, eax $sequence_17 = { 488d0d62820000 e8???????? 4883c438 c3 4d85c0 } // n = 5, score = 100 // 488d0d62820000 | dec eax // e8???????? | // 4883c438 | mov eax, dword ptr [ebp + 8] // c3 | inc ecx // 4d85c0 | mov ah, 1 $sequence_18 = { 41b828000000 e8???????? 488b7c2458 c74314feffffff b8feffffff 4883c430 } // n = 6, score = 100 // 41b828000000 | dec eax // e8???????? | // 488b7c2458 | mov ebx, dword ptr [esp + 0x88] // c74314feffffff | dec ecx // b8feffffff | cmp eax, edx // 4883c430 | je 0xa $sequence_19 = { 0fb610 488d4001 84c9 7404 3aca } // n = 5, score = 100 // 0fb610 | xor eax, eax // 488d4001 | dec eax // 84c9 | mov esi, dword ptr [esp + 0x78] // 7404 | dec eax // 3aca | mov ebx, dword ptr [esp + 0x70] $sequence_20 = { 33d2 e8???????? 8bc7 ebc0 b8feffffff 488b9c2488000000 } // n = 6, score = 100 // 33d2 | dec esp // e8???????? | // 8bc7 | lea ebx, [esp + 0x50] // ebc0 | dec ecx // b8feffffff | mov ebp, dword ptr [ebx + 0x30] // 488b9c2488000000 | jne 0xffffffd4 $sequence_21 = { 48895c2430 488b06 48833c0700 742a 488b0c07 4885c9 } // n = 6, score = 100 // 48895c2430 | cmp dword ptr [ecx + 0x30], -1 // 488b06 | jne 0x15 // 48833c0700 | jbe 8 // 742a | add dword ptr [edi + 0x28], -1 // 488b0c07 | jmp 0x49 // 4885c9 | mov dword ptr [edi], 0x18900916 $sequence_22 = { 488d0d34b30a00 483bd9 723e 488d05b8b60a00 483bd8 } // n = 5, score = 100 // 488d0d34b30a00 | cpuid // 483bd9 | test edx, 0x20100000 // 723e | mov dword ptr [esp + 4], ebx // 488d05b8b60a00 | dec eax // 483bd8 | mov ebx, dword ptr [esp + 0x20] $sequence_23 = { 39a98c000000 7f58 448d6c2d04 4963cd 48c1e103 } // n = 5, score = 100 // 39a98c000000 | add esp, 0x38 // 7f58 | ret // 448d6c2d04 | dec ebp // 4963cd | test eax, eax // 48c1e103 | dec eax condition: 7 of them and filesize < 1581056 }
rule win_winnti_w0 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $load_magic = { C7 44 ?? ?? FF D8 FF E0 } $iter = { E9 EA EB EC ED EE EF F0 } $jpeg = { FF D8 FF E0 00 00 00 00 00 00 } condition: uint16(0) == 0x5a4d and $jpeg and ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 ) }
rule win_winnti_w1 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cooper = "Cooper" $pattern = { e9 ea eb ec ed ee ef f0} condition: uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100)) }
rule win_winnti_w2 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase condition: (any of ($e*)) }
rule win_winnti_w3 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $a1 = "IPSecMiniPort" wide fullword $a2 = "ndis6fw" wide fullword $a3 = "TCPIP" wide fullword $a4 = "NDIS.SYS" ascii fullword $a5 = "ntoskrnl.exe" ascii fullword $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $a7 = "\\Device\\Null" wide $a8 = "\\Device" wide $a9 = "\\Driver" wide $b1 = { 66 81 7? ?? 70 17 } $b2 = { 81 7? ?? 07 E0 15 00 } $b3 = { 8B 46 18 3D 03 60 15 00 } condition: (6 of ($a*)) and (2 of ($b*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
