There is no description at this point.
rule win_xfsadm_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.xfsadm." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 68???????? e8???????? 83c404 833d????????ff 7548 } // n = 5, score = 100 // 68???????? | // e8???????? | // 83c404 | add esp, 4 // 833d????????ff | // 7548 | jne 0x4a $sequence_1 = { 660ffec2 83c308 660f3840c1 660ffec3 660ffec1 660f7e8170feffff 660f73d804 } // n = 7, score = 100 // 660ffec2 | paddd xmm0, xmm2 // 83c308 | add ebx, 8 // 660f3840c1 | pmulld xmm0, xmm1 // 660ffec3 | paddd xmm0, xmm3 // 660ffec1 | paddd xmm0, xmm1 // 660f7e8170feffff | movd dword ptr [ecx - 0x190], xmm0 // 660f73d804 | psrldq xmm0, 4 $sequence_2 = { 660ffec3 660ffec1 660f7e81c8feffff 660f73d804 660f7e81fcfeffff 660f73d804 660f7e8130ffffff } // n = 7, score = 100 // 660ffec3 | paddd xmm0, xmm3 // 660ffec1 | paddd xmm0, xmm1 // 660f7e81c8feffff | movd dword ptr [ecx - 0x138], xmm0 // 660f73d804 | psrldq xmm0, 4 // 660f7e81fcfeffff | movd dword ptr [ecx - 0x104], xmm0 // 660f73d804 | psrldq xmm0, 4 // 660f7e8130ffffff | movd dword ptr [ecx - 0xd0], xmm0 $sequence_3 = { 41 3d???????? 7cf1 eb1a 8d0449 } // n = 5, score = 100 // 41 | inc ecx // 3d???????? | // 7cf1 | jl 0xfffffff3 // eb1a | jmp 0x1c // 8d0449 | lea eax, dword ptr [ecx + ecx*2] $sequence_4 = { 0f94c1 fec9 8b1485f8d84200 80e102 8a44172d } // n = 5, score = 100 // 0f94c1 | sete cl // fec9 | dec cl // 8b1485f8d84200 | mov edx, dword ptr [eax*4 + 0x42d8f8] // 80e102 | and cl, 2 // 8a44172d | mov al, byte ptr [edi + edx + 0x2d] $sequence_5 = { c1f806 6bc938 8b0485f8d84200 804c082820 8b75d8 b9000000c0 } // n = 6, score = 100 // c1f806 | sar eax, 6 // 6bc938 | imul ecx, ecx, 0x38 // 8b0485f8d84200 | mov eax, dword ptr [eax*4 + 0x42d8f8] // 804c082820 | or byte ptr [eax + ecx + 0x28], 0x20 // 8b75d8 | mov esi, dword ptr [ebp - 0x28] // b9000000c0 | mov ecx, 0xc0000000 $sequence_6 = { 8b04bdf8d84200 ff743018 ff15???????? 85c0 7404 b001 eb02 } // n = 7, score = 100 // 8b04bdf8d84200 | mov eax, dword ptr [edi*4 + 0x42d8f8] // ff743018 | push dword ptr [eax + esi + 0x18] // ff15???????? | // 85c0 | test eax, eax // 7404 | je 6 // b001 | mov al, 1 // eb02 | jmp 4 $sequence_7 = { 0f84cb080000 e9???????? 56 6a02 e8???????? e8???????? 50 } // n = 7, score = 100 // 0f84cb080000 | je 0x8d1 // e9???????? | // 56 | push esi // 6a02 | push 2 // e8???????? | // e8???????? | // 50 | push eax $sequence_8 = { 8bec 8b4d08 33c0 3b0cc5480c4200 7427 40 } // n = 6, score = 100 // 8bec | mov ebp, esp // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 33c0 | xor eax, eax // 3b0cc5480c4200 | cmp ecx, dword ptr [eax*8 + 0x420c48] // 7427 | je 0x29 // 40 | inc eax $sequence_9 = { a3???????? 85c0 0f84a5000000 68???????? ff35???????? ffd6 } // n = 6, score = 100 // a3???????? | // 85c0 | test eax, eax // 0f84a5000000 | je 0xab // 68???????? | // ff35???????? | // ffd6 | call esi condition: 7 of them and filesize < 566272 }
rule win_xfsadm_w0 { meta: description = "Detects ATM Malware XFSADM" author = "Frank Boldewin (@r3c0nst)" reference = "https://twitter.com/r3c0nst/status/1149043362244308992" date = "2019-06-21" hash1 = "2740bd2b7aa0eaa8de2135dd710eb669d4c4c91d29eefbf54f1b81165ad2da4d" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm" malpedia_version = "20190712" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $Code1 = {68 88 13 00 00 FF 35 ?? ?? ?? ?? 68 CF 00 00 00 50 FF 15} // Read Card Data $Code2 = {68 98 01 00 00 50 FF 15} // Get PIN Data $Mutex = "myXFSADM" nocase wide $MSXFSDIR = "C:\\Windows\\System32\\msxfs.dll" nocase ascii $XFSCommand1 = "WfsExecute" nocase ascii $XFSCommand2 = "WfsGetInfo" nocase ascii $PDB = "C:\\Work64\\ADM\\XFS\\Release\\XFS.pdb" nocase ascii $WindowName = "XFS ADM" nocase wide $FindWindow = "ADM rec" nocase wide $LogFile = "xfs.log" nocase ascii $TmpFile = "~pipe.tmp" nocase ascii condition: uint16(0) == 0x5A4D and filesize < 500KB and 4 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY