There is no description at this point.
rule win_woody_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.woody." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d4604 8d4d08 50 e8???????? 81c608010000 8d4d08 56 } // n = 7, score = 100 // 8d4604 | lea eax, [esi + 4] // 8d4d08 | lea ecx, [ebp + 8] // 50 | push eax // e8???????? | // 81c608010000 | add esi, 0x108 // 8d4d08 | lea ecx, [ebp + 8] // 56 | push esi $sequence_1 = { 8bf0 e8???????? 84c0 750d 5f 5e 5d } // n = 7, score = 100 // 8bf0 | mov esi, eax // e8???????? | // 84c0 | test al, al // 750d | jne 0xf // 5f | pop edi // 5e | pop esi // 5d | pop ebp $sequence_2 = { ff15???????? 85c0 0f8550010000 b931000000 8d7c2429 88442428 c68424b801000000 } // n = 7, score = 100 // ff15???????? | // 85c0 | test eax, eax // 0f8550010000 | jne 0x156 // b931000000 | mov ecx, 0x31 // 8d7c2429 | lea edi, [esp + 0x29] // 88442428 | mov byte ptr [esp + 0x28], al // c68424b801000000 | mov byte ptr [esp + 0x1b8], 0 $sequence_3 = { 8d842478010000 53 50 e8???????? 83c414 8d8c246c010000 68b4000000 } // n = 7, score = 100 // 8d842478010000 | lea eax, [esp + 0x178] // 53 | push ebx // 50 | push eax // e8???????? | // 83c414 | add esp, 0x14 // 8d8c246c010000 | lea ecx, [esp + 0x16c] // 68b4000000 | push 0xb4 $sequence_4 = { e8???????? 83c404 8d4c2410 6a00 51 6878150000 68b4b20110 } // n = 7, score = 100 // e8???????? | // 83c404 | add esp, 4 // 8d4c2410 | lea ecx, [esp + 0x10] // 6a00 | push 0 // 51 | push ecx // 6878150000 | push 0x1578 // 68b4b20110 | push 0x1001b2b4 $sequence_5 = { 890cd0 8b4dd0 8b55d4 03d1 8b4df4 8954c804 ff45f4 } // n = 7, score = 100 // 890cd0 | mov dword ptr [eax + edx*8], ecx // 8b4dd0 | mov ecx, dword ptr [ebp - 0x30] // 8b55d4 | mov edx, dword ptr [ebp - 0x2c] // 03d1 | add edx, ecx // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 8954c804 | mov dword ptr [eax + ecx*8 + 4], edx // ff45f4 | inc dword ptr [ebp - 0xc] $sequence_6 = { 50 8d8520ffffff 50 8d45f0 50 53 } // n = 6, score = 100 // 50 | push eax // 8d8520ffffff | lea eax, [ebp - 0xe0] // 50 | push eax // 8d45f0 | lea eax, [ebp - 0x10] // 50 | push eax // 53 | push ebx $sequence_7 = { ffd3 83f8ff 740e 50 ff15???????? b007 e9???????? } // n = 7, score = 100 // ffd3 | call ebx // 83f8ff | cmp eax, -1 // 740e | je 0x10 // 50 | push eax // ff15???????? | // b007 | mov al, 7 // e9???????? | $sequence_8 = { 83c404 663bc3 7606 66a3???????? 8d9540ffffff 68e8ea0110 52 } // n = 7, score = 100 // 83c404 | add esp, 4 // 663bc3 | cmp ax, bx // 7606 | jbe 8 // 66a3???????? | // 8d9540ffffff | lea edx, [ebp - 0xc0] // 68e8ea0110 | push 0x1001eae8 // 52 | push edx $sequence_9 = { 5b 81c470020000 c20400 8b442418 50 ff15???????? 5f } // n = 7, score = 100 // 5b | pop ebx // 81c470020000 | add esp, 0x270 // c20400 | ret 4 // 8b442418 | mov eax, dword ptr [esp + 0x18] // 50 | push eax // ff15???????? | // 5f | pop edi condition: 7 of them and filesize < 409600 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY