rule win_avos_locker_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.avos_locker."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 6a72 8d8dd0faffff e8???????? 8885e0faffff 6a79 8d8dd0faffff e8???????? }
// n = 7, score = 100
// 6a72 | push 0x72
// 8d8dd0faffff | lea ecx, [ebp - 0x530]
// e8???????? |
// 8885e0faffff | mov byte ptr [ebp - 0x520], al
// 6a79 | push 0x79
// 8d8dd0faffff | lea ecx, [ebp - 0x530]
// e8???????? |
$sequence_1 = { 74bc 83f807 77c7 ff2485f7254700 8bce e8???????? eb45 }
// n = 7, score = 100
// 74bc | je 0xffffffbe
// 83f807 | cmp eax, 7
// 77c7 | ja 0xffffffc9
// ff2485f7254700 | jmp dword ptr [eax*4 + 0x4725f7]
// 8bce | mov ecx, esi
// e8???????? |
// eb45 | jmp 0x47
$sequence_2 = { 3d00100000 7227 8d4823 3bc8 0f86c2000000 51 e8???????? }
// n = 7, score = 100
// 3d00100000 | cmp eax, 0x1000
// 7227 | jb 0x29
// 8d4823 | lea ecx, [eax + 0x23]
// 3bc8 | cmp ecx, eax
// 0f86c2000000 | jbe 0xc8
// 51 | push ecx
// e8???????? |
$sequence_3 = { 8d8d44efffff e8???????? 888558efffff 6a74 8d8d44efffff e8???????? 888559efffff }
// n = 7, score = 100
// 8d8d44efffff | lea ecx, [ebp - 0x10bc]
// e8???????? |
// 888558efffff | mov byte ptr [ebp - 0x10a8], al
// 6a74 | push 0x74
// 8d8d44efffff | lea ecx, [ebp - 0x10bc]
// e8???????? |
// 888559efffff | mov byte ptr [ebp - 0x10a7], al
$sequence_4 = { 6a08 c645ac00 8d4dc0 ff75ac 6a08 e8???????? 8b75b8 }
// n = 7, score = 100
// 6a08 | push 8
// c645ac00 | mov byte ptr [ebp - 0x54], 0
// 8d4dc0 | lea ecx, [ebp - 0x40]
// ff75ac | push dword ptr [ebp - 0x54]
// 6a08 | push 8
// e8???????? |
// 8b75b8 | mov esi, dword ptr [ebp - 0x48]
$sequence_5 = { 0f1000 68???????? c745f00f000000 0f1145a4 f30f7e4010 660fd645b4 c7401000000000 }
// n = 7, score = 100
// 0f1000 | movups xmm0, xmmword ptr [eax]
// 68???????? |
// c745f00f000000 | mov dword ptr [ebp - 0x10], 0xf
// 0f1145a4 | movups xmmword ptr [ebp - 0x5c], xmm0
// f30f7e4010 | movq xmm0, qword ptr [eax + 0x10]
// 660fd645b4 | movq qword ptr [ebp - 0x4c], xmm0
// c7401000000000 | mov dword ptr [eax + 0x10], 0
$sequence_6 = { 50 e8???????? 83c408 50 e8???????? 83c408 c645dc55 }
// n = 7, score = 100
// 50 | push eax
// e8???????? |
// 83c408 | add esp, 8
// 50 | push eax
// e8???????? |
// 83c408 | add esp, 8
// c645dc55 | mov byte ptr [ebp - 0x24], 0x55
$sequence_7 = { e8???????? 888533fcffff 6a65 8d8d30fcffff e8???????? 888534fcffff 6a78 }
// n = 7, score = 100
// e8???????? |
// 888533fcffff | mov byte ptr [ebp - 0x3cd], al
// 6a65 | push 0x65
// 8d8d30fcffff | lea ecx, [ebp - 0x3d0]
// e8???????? |
// 888534fcffff | mov byte ptr [ebp - 0x3cc], al
// 6a78 | push 0x78
$sequence_8 = { 8d45e4 d1fa 8bca c1e91f 03ca 8b55c0 83f902 }
// n = 7, score = 100
// 8d45e4 | lea eax, [ebp - 0x1c]
// d1fa | sar edx, 1
// 8bca | mov ecx, edx
// c1e91f | shr ecx, 0x1f
// 03ca | add ecx, edx
// 8b55c0 | mov edx, dword ptr [ebp - 0x40]
// 83f902 | cmp ecx, 2
$sequence_9 = { 8b08 898d90f9ffff 8b4804 898d94f9ffff c70000000000 c7400400000000 c645fc05 }
// n = 7, score = 100
// 8b08 | mov ecx, dword ptr [eax]
// 898d90f9ffff | mov dword ptr [ebp - 0x670], ecx
// 8b4804 | mov ecx, dword ptr [eax + 4]
// 898d94f9ffff | mov dword ptr [ebp - 0x66c], ecx
// c70000000000 | mov dword ptr [eax], 0
// c7400400000000 | mov dword ptr [eax + 4], 0
// c645fc05 | mov byte ptr [ebp - 4], 5
condition:
7 of them and filesize < 1701888
}
