-
Notifications
You must be signed in to change notification settings - Fork 0
/
win_pteranodon_auto.yar
174 lines (154 loc) · 9.72 KB
/
win_pteranodon_auto.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
rule win_pteranodon_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.pteranodon."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 6bc830 881f 8b0495b8690310 f644082880 7507 }
// n = 5, score = 100
// 6bc830 | imul ecx, eax, 0x30
// 881f | mov byte ptr [edi], bl
// 8b0495b8690310 | mov eax, dword ptr [edx*4 + 0x100369b8]
// f644082880 | test byte ptr [eax + ecx + 0x28], 0x80
// 7507 | jne 9
$sequence_1 = { 8bcb c645fc03 8d5102 660f1f440000 668b01 }
// n = 5, score = 100
// 8bcb | mov ecx, ebx
// c645fc03 | mov byte ptr [ebp - 4], 3
// 8d5102 | lea edx, [ecx + 2]
// 660f1f440000 | nop word ptr [eax + eax]
// 668b01 | mov ax, word ptr [ecx]
$sequence_2 = { 83c418 03d8 13fa eb0c 039d88feffff 13bd84feffff }
// n = 6, score = 100
// 83c418 | add esp, 0x18
// 03d8 | add ebx, eax
// 13fa | adc edi, edx
// eb0c | jmp 0xe
// 039d88feffff | add ebx, dword ptr [ebp - 0x178]
// 13bd84feffff | adc edi, dword ptr [ebp - 0x17c]
$sequence_3 = { 6bc038 03048de0874300 50 ff15???????? 5d c3 }
// n = 6, score = 100
// 6bc038 | imul eax, eax, 0x38
// 03048de0874300 | add eax, dword ptr [ecx*4 + 0x4387e0]
// 50 | push eax
// ff15???????? |
// 5d | pop ebp
// c3 | ret
$sequence_4 = { c70021000000 eb44 c745e002000000 c745e4e4c14200 8b4508 8bcf 8b7510 }
// n = 7, score = 100
// c70021000000 | mov dword ptr [eax], 0x21
// eb44 | jmp 0x46
// c745e002000000 | mov dword ptr [ebp - 0x20], 2
// c745e4e4c14200 | mov dword ptr [ebp - 0x1c], 0x42c1e4
// 8b4508 | mov eax, dword ptr [ebp + 8]
// 8bcf | mov ecx, edi
// 8b7510 | mov esi, dword ptr [ebp + 0x10]
$sequence_5 = { 8b01 85c0 0f84309e0000 83f808 }
// n = 4, score = 100
// 8b01 | mov eax, dword ptr [ecx]
// 85c0 | test eax, eax
// 0f84309e0000 | je 0x9e36
// 83f808 | cmp eax, 8
$sequence_6 = { 6bc038 03048de0874300 eb05 b8???????? f6402820 }
// n = 5, score = 100
// 6bc038 | imul eax, eax, 0x38
// 03048de0874300 | add eax, dword ptr [ecx*4 + 0x4387e0]
// eb05 | jmp 7
// b8???????? |
// f6402820 | test byte ptr [eax + 0x28], 0x20
$sequence_7 = { c78504f9ffff0f000000 c78500f9ffff00000000 c685f0f8ffff00 83f810 7213 40 8d8dc0f8ffff }
// n = 7, score = 100
// c78504f9ffff0f000000 | mov dword ptr [ebp - 0x6fc], 0xf
// c78500f9ffff00000000 | mov dword ptr [ebp - 0x700], 0
// c685f0f8ffff00 | mov byte ptr [ebp - 0x710], 0
// 83f810 | cmp eax, 0x10
// 7213 | jb 0x15
// 40 | inc eax
// 8d8dc0f8ffff | lea ecx, [ebp - 0x740]
$sequence_8 = { 50 e8???????? 8b4de0 8d0437 83c40c }
// n = 5, score = 100
// 50 | push eax
// e8???????? |
// 8b4de0 | mov ecx, dword ptr [ebp - 0x20]
// 8d0437 | lea eax, [edi + esi]
// 83c40c | add esp, 0xc
$sequence_9 = { 33c0 53 668906 ff75c0 8935???????? ff75bc 68???????? }
// n = 7, score = 100
// 33c0 | xor eax, eax
// 53 | push ebx
// 668906 | mov word ptr [esi], ax
// ff75c0 | push dword ptr [ebp - 0x40]
// 8935???????? |
// ff75bc | push dword ptr [ebp - 0x44]
// 68???????? |
$sequence_10 = { 6a01 51 56 ff15???????? 85c0 752b 85f6 }
// n = 7, score = 100
// 6a01 | push 1
// 51 | push ecx
// 56 | push esi
// ff15???????? |
// 85c0 | test eax, eax
// 752b | jne 0x2d
// 85f6 | test esi, esi
$sequence_11 = { 6a00 8d45d4 c745fc00000000 50 8d45d0 c745d401000000 50 }
// n = 7, score = 100
// 6a00 | push 0
// 8d45d4 | lea eax, [ebp - 0x2c]
// c745fc00000000 | mov dword ptr [ebp - 4], 0
// 50 | push eax
// 8d45d0 | lea eax, [ebp - 0x30]
// c745d401000000 | mov dword ptr [ebp - 0x2c], 1
// 50 | push eax
$sequence_12 = { 85db 7443 3bf8 7f0c 7c04 }
// n = 5, score = 100
// 85db | test ebx, ebx
// 7443 | je 0x45
// 3bf8 | cmp edi, eax
// 7f0c | jg 0xe
// 7c04 | jl 6
$sequence_13 = { 33ff 8db58cf6ffff 89bd90f6ffff 8d9d20f9ffff }
// n = 4, score = 100
// 33ff | xor edi, edi
// 8db58cf6ffff | lea esi, [ebp - 0x974]
// 89bd90f6ffff | mov dword ptr [ebp - 0x970], edi
// 8d9d20f9ffff | lea ebx, [ebp - 0x6e0]
$sequence_14 = { 8d85f0feffff 50 ff15???????? 85c0 7510 }
// n = 5, score = 100
// 8d85f0feffff | lea eax, [ebp - 0x110]
// 50 | push eax
// ff15???????? |
// 85c0 | test eax, eax
// 7510 | jne 0x12
$sequence_15 = { 83c618 8bbd90f6ffff 03f8 8b8598f6ffff 40 89bd90f6ffff 898598f6ffff }
// n = 7, score = 100
// 83c618 | add esi, 0x18
// 8bbd90f6ffff | mov edi, dword ptr [ebp - 0x970]
// 03f8 | add edi, eax
// 8b8598f6ffff | mov eax, dword ptr [ebp - 0x968]
// 40 | inc eax
// 89bd90f6ffff | mov dword ptr [ebp - 0x970], edi
// 898598f6ffff | mov dword ptr [ebp - 0x968], eax
condition:
7 of them and filesize < 499712
}