Created
June 6, 2019 03:02
-
-
Save xinali/5f426d699d2753a09c1babbc8ee25bd3 to your computer and use it in GitHub Desktop.
恶意代码的yara规则
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule win_gaudox_auto { | |
| meta: | |
| author = "Felix Bilstein - yara-signator at cocacoding dot com" | |
| date = "2018-11-23" | |
| version = "1" | |
| description = "autogenerated rule brought to you by yara-signator" | |
| tool = "yara-signator 0.1a" | |
| malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox" | |
| malpedia_version = "20180607" | |
| malpedia_license = "CC BY-NC-SA 4.0" | |
| malpedia_sharing = "TLP:WHITE" | |
| /* DISCLAIMER | |
| * The strings used in this rule have been automatically selected from the | |
| * disassembly of memory dumps and unpacked files, using yara-signator. | |
| * The code and documentation / approach will be published in the near future here: | |
| * https://github.com/fxb-cocacoding/yara-signator | |
| * As Malpedia is used as data source, please note that for a given | |
| * number of families, only single samples are documented. | |
| * This likely impacts the degree of generalization these rules will offer. | |
| * Take the described generation method also into consideration when you | |
| * apply the rules in your use cases and assign them confidence levels. | |
| */ | |
| strings: | |
| $sequence_0 = { 50 51 6a0b 6a01 } | |
| // n = 4, score = 1000 | |
| // 50 | push eax | |
| // 51 | push ecx | |
| // 6a0b | push 0xb | |
| // 6a01 | push 1 | |
| $sequence_1 = { 03c6 50 56 e8051d0000 } | |
| // n = 4, score = 1000 | |
| // 03c6 | add eax, esi | |
| // 50 | push eax | |
| // 56 | push esi | |
| // e8051d0000 | call 0x93220 | |
| $sequence_2 = { 2bd7 742c 8b45fc 8a11 } | |
| // n = 4, score = 1000 | |
| // 2bd7 | sub edx, edi | |
| // 742c | je 0x93319 | |
| // 8b45fc | mov eax, dword ptr [ebp - 4] | |
| // 8a11 | mov dl, byte ptr [ecx] | |
| $sequence_3 = { 50 6a40 8d45fc 895df8 } | |
| // n = 4, score = 1000 | |
| // 50 | push eax | |
| // 6a40 | push 0x40 | |
| // 8d45fc | lea eax, dword ptr [ebp - 4] | |
| // 895df8 | mov dword ptr [ebp - 8], ebx | |
| $sequence_4 = { 48 740a 48 757e } | |
| // n = 4, score = 1000 | |
| // 48 | dec eax | |
| // 740a | je 0x98128 | |
| // 48 | dec eax | |
| // 757e | jne 0x9819f | |
| $sequence_5 = { 33c0 c6450b00 0f57c0 f30f7f06 } | |
| // n = 4, score = 1000 | |
| // 33c0 | xor eax, eax | |
| // c6450b00 | mov byte ptr [ebp + 0xb], 0 | |
| // 0f57c0 | xorps xmm0, xmm0 | |
| // f30f7f06 | movdqu xmmword ptr [esi], xmm0 | |
| $sequence_6 = { 0fb755e6 83fa5a 7f0c 0fb745e6 } | |
| // n = 4, score = 1000 | |
| // 0fb755e6 | movzx edx, word ptr [ebp - 0x1a] | |
| // 83fa5a | cmp edx, 0x5a | |
| // 7f0c | jg 0x95fff | |
| // 0fb745e6 | movzx eax, word ptr [ebp - 0x1a] | |
| $sequence_7 = { 4f 75f3 8b4dfc 85f6 } | |
| // n = 4, score = 1000 | |
| // 4f | dec edi | |
| // 75f3 | jne 0x93183 | |
| // 8b4dfc | mov ecx, dword ptr [ebp - 4] | |
| // 85f6 | test esi, esi | |
| $sequence_8 = { 52 8b45dc 50 8d55f0 } | |
| // n = 4, score = 1000 | |
| // 52 | push edx | |
| // 8b45dc | mov eax, dword ptr [ebp - 0x24] | |
| // 50 | push eax | |
| // 8d55f0 | lea edx, dword ptr [ebp - 0x10] | |
| $sequence_9 = { 51 8d8114010000 50 e81786ffff } | |
| // n = 4, score = 1000 | |
| // 51 | push ecx | |
| // 8d8114010000 | lea eax, dword ptr [ecx + 0x114] | |
| // 50 | push eax | |
| // e81786ffff | call 0x91890 | |
| condition: | |
| 7 of them | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment