Actor(s): Axiom
There is no description at this point.
rule win_winnti_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.winnti." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 56 ffd5 85c0 75db 56 } // n = 6, score = 200 // 50 | push eax // 56 | push esi // ffd5 | call ebp // 85c0 | test eax, eax // 75db | jne 0xffffffdd // 56 | push esi $sequence_1 = { c3 8d7c2428 83c9ff 33c0 } // n = 4, score = 200 // c3 | ret // 8d7c2428 | lea edi, dword ptr [esp + 0x28] // 83c9ff | or ecx, 0xffffffff // 33c0 | xor eax, eax $sequence_2 = { ff15???????? 85c0 7428 8d542418 8d442410 52 8d4c2420 } // n = 7, score = 200 // ff15???????? | // 85c0 | test eax, eax // 7428 | je 0x2a // 8d542418 | lea edx, dword ptr [esp + 0x18] // 8d442410 | lea eax, dword ptr [esp + 0x10] // 52 | push edx // 8d4c2420 | lea ecx, dword ptr [esp + 0x20] $sequence_3 = { 7444 83c706 6a3a 57 ff15???????? } // n = 5, score = 200 // 7444 | je 0x46 // 83c706 | add edi, 6 // 6a3a | push 0x3a // 57 | push edi // ff15???????? | $sequence_4 = { 8d542460 f3ab 52 33f6 c644241700 } // n = 5, score = 200 // 8d542460 | lea edx, dword ptr [esp + 0x60] // f3ab | rep stosd dword ptr es:[edi], eax // 52 | push edx // 33f6 | xor esi, esi // c644241700 | mov byte ptr [esp + 0x17], 0 $sequence_5 = { 49 807c31ff0d 740e c604310d c64431010a c644310200 } // n = 6, score = 200 // 49 | dec ecx // 807c31ff0d | cmp byte ptr [ecx + esi - 1], 0xd // 740e | je 0x10 // c604310d | mov byte ptr [ecx + esi], 0xd // c64431010a | mov byte ptr [ecx + esi + 1], 0xa // c644310200 | mov byte ptr [ecx + esi + 2], 0 $sequence_6 = { 57 b908000000 33c0 8d7c2414 8d7508 } // n = 5, score = 200 // 57 | push edi // b908000000 | mov ecx, 8 // 33c0 | xor eax, eax // 8d7c2414 | lea edi, dword ptr [esp + 0x14] // 8d7508 | lea esi, dword ptr [ebp + 8] $sequence_7 = { 8b4e08 8a54242c 83c40c 83c502 88140f 8b460c } // n = 6, score = 200 // 8b4e08 | mov ecx, dword ptr [esi + 8] // 8a54242c | mov dl, byte ptr [esp + 0x2c] // 83c40c | add esp, 0xc // 83c502 | add ebp, 2 // 88140f | mov byte ptr [edi + ecx], dl // 8b460c | mov eax, dword ptr [esi + 0xc] $sequence_8 = { 0fb7c9 48c1e105 488b04d0 448b7c0810 49ffcc } // n = 5, score = 100 // 0fb7c9 | lea ecx, dword ptr [0xffff0f05] // 48c1e105 | inc ebp // 488b04d0 | mov ah, byte ptr [eax] // 448b7c0810 | inc ebp // 49ffcc | test ah, ah $sequence_9 = { 4c894018 57 4156 4157 4881ecd0000000 4533f6 } // n = 6, score = 100 // 4c894018 | nop // 57 | mov ecx, dword ptr [esp + 0x38] // 4156 | mov eax, ebp // 4157 | imul eax, ecx // 4881ecd0000000 | mov edx, dword ptr [esp + 0x20] // 4533f6 | add eax, edx $sequence_10 = { 8b4704 4c8d050af40000 89442428 488d4500 418d542482 458bcc } // n = 6, score = 100 // 8b4704 | mov ecx, dword ptr [ebx + eax*8] // 4c8d050af40000 | dec eax // 89442428 | arpl word ptr [ecx + edx + 0x14], ax // 488d4500 | test eax, eax // 418d542482 | je 0x5a // 458bcc | dec esp $sequence_11 = { 418bcf b8c00a0100 48f7f1 85d2 7441 } // n = 5, score = 100 // 418bcf | dec esp // b8c00a0100 | lea esi, dword ptr [edi + 0x68] // 48f7f1 | dec esp // 85d2 | lea eax, dword ptr [0xf9f7] // 7441 | dec eax $sequence_12 = { 41f6c308 740f 4002ff b804000000 402ac7 41884009 410fb6c3 } // n = 7, score = 100 // 41f6c308 | mov dword ptr [esi + 4], eax // 740f | lea eax, dword ptr [eax + ecx - 1] // 4002ff | nop dword ptr [eax + eax] // b804000000 | inc ecx // 402ac7 | cmp byte ptr [ecx], 0x66 // 41884009 | inc eax // 410fb6c3 | movzx edi, bh $sequence_13 = { 8b7c2444 4c8b442468 8b542460 41bb00020000 4c8d0d050fffff 458a20 4584e4 } // n = 7, score = 100 // 8b7c2444 | mov edi, dword ptr [esp + 0x44] // 4c8b442468 | dec esp // 8b542460 | mov eax, dword ptr [esp + 0x68] // 41bb00020000 | mov edx, dword ptr [esp + 0x60] // 4c8d0d050fffff | inc ecx // 458a20 | mov ebx, 0x200 // 4584e4 | dec esp $sequence_14 = { 4c8d7768 4c8d05f7f90000 488bd3 488bcd e8???????? } // n = 5, score = 100 // 4c8d7768 | mov eax, dword ptr [edi + 4] // 4c8d05f7f90000 | dec esp // 488bd3 | lea eax, dword ptr [0xf40a] // 488bcd | mov dword ptr [esp + 0x28], eax // e8???????? | $sequence_15 = { 8b4308 ffc7 ffc8 4883c608 c1f810 ffc0 } // n = 6, score = 100 // 8b4308 | dec ecx // ffc7 | dec esp // ffc8 | movzx edx, cx // 4883c608 | dec eax // c1f810 | shl edx, 5 // ffc0 | dec ecx $sequence_16 = { 8bc8 483bca 72ed eb2d } // n = 4, score = 100 // 8bc8 | mov edx, ebx // 483bca | dec eax // 72ed | mov ecx, ebp // eb2d | dec esp $sequence_17 = { 488d4dd0 488bd8 488d053c690100 48894510 e8???????? } // n = 5, score = 100 // 488d4dd0 | dec eax // 488bd8 | add esi, 8 // 488d053c690100 | sar eax, 0x10 // 48894510 | inc eax // e8???????? | $sequence_18 = { eb10 418b10 25ff0f0000 488d0c03 } // n = 4, score = 100 // eb10 | inc eax // 418b10 | movzx esi, dh // 25ff0f0000 | cmove edi, ecx // 488d0c03 | inc ecx $sequence_19 = { 0fb7d1 48c1e205 498b0cc3 4863441114 85c0 744d 4c8bc8 } // n = 7, score = 100 // 0fb7d1 | movzx ecx, cx // 48c1e205 | dec eax // 498b0cc3 | shl ecx, 5 // 4863441114 | dec eax // 85c0 | mov eax, dword ptr [eax + edx*8] // 744d | inc esp // 4c8bc8 | mov edi, dword ptr [eax + ecx + 0x10] $sequence_20 = { 4803ca 49010e 4883c430 415f } // n = 4, score = 100 // 4803ca | lea eax, dword ptr [0xf9f7] // 49010e | dec eax // 4883c430 | mov edx, ebx // 415f | dec eax $sequence_21 = { 8a03 4b8b8cf800a20b00 48ffc3 88443139 } // n = 4, score = 100 // 8a03 | mov ecx, eax // 4b8b8cf800a20b00 | mov eax, dword ptr [ebx + 8] // 48ffc3 | inc edi // 88443139 | dec eax $sequence_22 = { 0f1f440000 41803966 400fb6ff 400fb6f6 0f44f9 41803967 } // n = 6, score = 100 // 0f1f440000 | dec eax // 41803966 | mov ebx, eax // 400fb6ff | dec eax // 400fb6f6 | lea eax, dword ptr [0x1693c] // 0f44f9 | dec eax // 41803967 | mov dword ptr [ebp + 0x10], eax $sequence_23 = { c1ea03 0fb6c2 c0e002 8d0c10 02c9 442ac9 } // n = 6, score = 100 // c1ea03 | mov ecx, ebp // 0fb6c2 | test eax, eax // c0e002 | dec eax // 8d0c10 | lea edx, dword ptr [0xad40] // 02c9 | dec eax // 442ac9 | lea ecx, dword ptr [0xad31] condition: 7 of them and filesize < 1581056 }
rule win_winnti_w0 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $load_magic = { C7 44 ?? ?? FF D8 FF E0 } $iter = { E9 EA EB EC ED EE EF F0 } $jpeg = { FF D8 FF E0 00 00 00 00 00 00 } condition: uint16(0) == 0x5a4d and $jpeg and ($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 ) }
rule win_winnti_w1 { meta: author = "BR Data" source = "https://github.com/br-data/2019-winnti-analyse/" date = "2019-07-24" description = "rules used for retrohunting by BR Data." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20190822" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $cooper = "Cooper" $pattern = { e9 ea eb ec ed ee ef f0} condition: uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100)) }
rule win_winnti_w2 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase condition: (any of ($e*)) }
rule win_winnti_w3 { meta: author = "Bundesamt fuer Verfassungsschutz" source = "https://www.verfassungsschutz.de/download/anlage-2019-12-bfv-cyber-brief-2019-01.txt" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" malpedia_version = "20191207" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $a1 = "IPSecMiniPort" wide fullword $a2 = "ndis6fw" wide fullword $a3 = "TCPIP" wide fullword $a4 = "NDIS.SYS" ascii fullword $a5 = "ntoskrnl.exe" ascii fullword $a6 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide $a7 = "\\Device\\Null" wide $a8 = "\\Device" wide $a9 = "\\Driver" wide $b1 = { 66 81 7? ?? 70 17 } $b2 = { 81 7? ?? 07 E0 15 00 } $b3 = { 8B 46 18 3D 03 60 15 00 } condition: (6 of ($a*)) and (2 of ($b*)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
