Actor(s): Tick
There is no description at this point.
rule win_xxmm_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.xxmm." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? ff7508 8bd8 57 53 895dfc e8???????? } // n = 7, score = 600 // ff15???????? | // ff7508 | push dword ptr [ebp + 8] // 8bd8 | mov ebx, eax // 57 | push edi // 53 | push ebx // 895dfc | mov dword ptr [ebp - 4], ebx // e8???????? | $sequence_1 = { 83c704 66837df400 77b7 8b45f0 } // n = 4, score = 600 // 83c704 | add edi, 4 // 66837df400 | cmp word ptr [ebp - 0xc], 0 // 77b7 | ja 0xffffffb9 // 8b45f0 | mov eax, dword ptr [ebp - 0x10] $sequence_2 = { 8b4508 8908 5d c20800 55 8bec 83ec10 } // n = 7, score = 600 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8908 | mov dword ptr [eax], ecx // 5d | pop ebp // c20800 | ret 8 // 55 | push ebp // 8bec | mov ebp, esp // 83ec10 | sub esp, 0x10 $sequence_3 = { 895d14 8a1b 895510 8a10 8818 } // n = 5, score = 600 // 895d14 | mov dword ptr [ebp + 0x14], ebx // 8a1b | mov bl, byte ptr [ebx] // 895510 | mov dword ptr [ebp + 0x10], edx // 8a10 | mov dl, byte ptr [eax] // 8818 | mov byte ptr [eax], bl $sequence_4 = { 33c0 5f 5b c3 0fb7c7 } // n = 5, score = 600 // 33c0 | xor eax, eax // 5f | pop edi // 5b | pop ebx // c3 | ret // 0fb7c7 | movzx eax, di $sequence_5 = { 03f9 03c1 8945f8 c745f404000000 8b07 03c1 } // n = 6, score = 600 // 03f9 | add edi, ecx // 03c1 | add eax, ecx // 8945f8 | mov dword ptr [ebp - 8], eax // c745f404000000 | mov dword ptr [ebp - 0xc], 4 // 8b07 | mov eax, dword ptr [edi] // 03c1 | add eax, ecx $sequence_6 = { 750a 8b7dfc 23c3 013c08 eb1e } // n = 5, score = 600 // 750a | jne 0xc // 8b7dfc | mov edi, dword ptr [ebp - 4] // 23c3 | and eax, ebx // 013c08 | add dword ptr [eax + ecx], edi // eb1e | jmp 0x20 $sequence_7 = { 895dfc b84d5a0000 663903 7517 8b433c } // n = 5, score = 600 // 895dfc | mov dword ptr [ebp - 4], ebx // b84d5a0000 | mov eax, 0x5a4d // 663903 | cmp word ptr [ebx], ax // 7517 | jne 0x19 // 8b433c | mov eax, dword ptr [ebx + 0x3c] $sequence_8 = { 7414 394de0 740f 394dec 740a 394de8 7405 } // n = 7, score = 600 // 7414 | je 0x16 // 394de0 | cmp dword ptr [ebp - 0x20], ecx // 740f | je 0x11 // 394dec | cmp dword ptr [ebp - 0x14], ecx // 740a | je 0xc // 394de8 | cmp dword ptr [ebp - 0x18], ecx // 7405 | je 7 $sequence_9 = { c1cb0d 03da 40 8a10 84d2 } // n = 5, score = 600 // c1cb0d | ror ebx, 0xd // 03da | add ebx, edx // 40 | inc eax // 8a10 | mov dl, byte ptr [eax] // 84d2 | test dl, dl condition: 7 of them and filesize < 540672 }
rule win_xxmm_w0 { meta: author = "Florian Roth" description = "Detects malware / hacktool sample from Bronze Butler incident" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm" malpedia_version = "20180301" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "\\Release\\ReflectivLoader.pdb" ascii $x3 = "\\Projects\\xxmm2\\Release\\" ascii $x5 = "http://127.0.0.1/phptunnel.php" fullword ascii $s1 = "xxmm2.exe" fullword ascii $s2 = "\\AvUpdate.exe" fullword wide $s3 = "stdapi_fs_file_download" fullword ascii $s4 = "stdapi_syncshell_open" fullword ascii $s5 = "stdapi_execute_sleep" fullword ascii $s6 = "stdapi_syncshell_kill" fullword ascii condition: 1 of ($x*) or 4 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY