rule win_medusa_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.medusa."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { ae 085ffb cf 51 46 a8cf f8 }
// n = 7, score = 100
// ae | scasb al, byte ptr es:[edi]
// 085ffb | or byte ptr [edi - 5], bl
// cf | iretd
// 51 | push ecx
// 46 | inc esi
// a8cf | test al, 0xcf
// f8 | clc
$sequence_1 = { 184e0f 6c 6f aa }
// n = 4, score = 100
// 184e0f | sbb byte ptr [esi + 0xf], cl
// 6c | insb byte ptr es:[edi], dx
// 6f | outsd dx, dword ptr [esi]
// aa | stosb byte ptr es:[edi], al
$sequence_2 = { d8b8291ba3f9 a939ef568f 46 005f6e 69c7d0234b91 1c14 2a18 }
// n = 7, score = 100
// d8b8291ba3f9 | fdivr dword ptr [eax - 0x65ce4d7]
// a939ef568f | test eax, 0x8f56ef39
// 46 | inc esi
// 005f6e | add byte ptr [edi + 0x6e], bl
// 69c7d0234b91 | imul eax, edi, 0x914b23d0
// 1c14 | sbb al, 0x14
// 2a18 | sub bl, byte ptr [eax]
$sequence_3 = { 51 ff7100 52 ff7200 53 }
// n = 5, score = 100
// 51 | push ecx
// ff7100 | push dword ptr [ecx]
// 52 | push edx
// ff7200 | push dword ptr [edx]
// 53 | push ebx
$sequence_4 = { 2048b3 a5 45 b051 9f }
// n = 5, score = 100
// 2048b3 | and byte ptr [eax - 0x4d], cl
// a5 | movsd dword ptr es:[edi], dword ptr [esi]
// 45 | inc ebp
// b051 | mov al, 0x51
// 9f | lahf
$sequence_5 = { 57 10872213d4b4 5b 00bb4b0c8cb2 }
// n = 4, score = 100
// 57 | push edi
// 10872213d4b4 | adc byte ptr [edi - 0x4b2becde], al
// 5b | pop ebx
// 00bb4b0c8cb2 | add byte ptr [ebx - 0x4d73f3b5], bh
$sequence_6 = { ab 92 6f 0c48 b5f9 43 }
// n = 6, score = 100
// ab | stosd dword ptr es:[edi], eax
// 92 | xchg eax, edx
// 6f | outsd dx, dword ptr [esi]
// 0c48 | or al, 0x48
// b5f9 | mov ch, 0xf9
// 43 | inc ebx
$sequence_7 = { 5f e1fb 1cc9 3ca5 2c8e }
// n = 5, score = 100
// 5f | pop edi
// e1fb | loope 0xfffffffd
// 1cc9 | sbb al, 0xc9
// 3ca5 | cmp al, 0xa5
// 2c8e | sub al, 0x8e
$sequence_8 = { 670048ff 680049ff69 004aff 6a00 4b ff6b00 4c }
// n = 7, score = 100
// 670048ff | add byte ptr [bx + si - 1], cl
// 680049ff69 | push 0x69ff4900
// 004aff | add byte ptr [edx - 1], cl
// 6a00 | push 0
// 4b | dec ebx
// ff6b00 | ljmp [ebx]
// 4c | dec esp
$sequence_9 = { e60e 6c 7bbc 45 }
// n = 4, score = 100
// e60e | out 0xe, al
// 6c | insb byte ptr es:[edi], dx
// 7bbc | jnp 0xffffffbe
// 45 | inc ebp
$sequence_10 = { ff7300 54 ff740055 ff7500 56 }
// n = 5, score = 100
// ff7300 | push dword ptr [ebx]
// 54 | push esp
// ff740055 | push dword ptr [eax + eax + 0x55]
// ff7500 | push dword ptr [ebp]
// 56 | push esi
$sequence_11 = { 334a54 98 56 39ec 51 7fa1 6d }
// n = 7, score = 100
// 334a54 | xor ecx, dword ptr [edx + 0x54]
// 98 | cwde
// 56 | push esi
// 39ec | cmp esp, ebp
// 51 | push ecx
// 7fa1 | jg 0xffffffa3
// 6d | insd dword ptr es:[edi], dx
$sequence_12 = { b051 9f 4a d7 b9533e507c }
// n = 5, score = 100
// b051 | mov al, 0x51
// 9f | lahf
// 4a | dec edx
// d7 | xlatb
// b9533e507c | mov ecx, 0x7c503e53
$sequence_13 = { b5f5 42 317f52 56 }
// n = 4, score = 100
// b5f5 | mov ch, 0xf5
// 42 | inc edx
// 317f52 | xor dword ptr [edi + 0x52], edi
// 56 | push esi
$sequence_14 = { bfdb4a7adc de6326 9e 45 334a54 98 }
// n = 6, score = 100
// bfdb4a7adc | mov edi, 0xdc7a4adb
// de6326 | fisub word ptr [ebx + 0x26]
// 9e | sahf
// 45 | inc ebp
// 334a54 | xor ecx, dword ptr [edx + 0x54]
// 98 | cwde
$sequence_15 = { 3ca5 2c8e a1???????? d528 32f4 }
// n = 5, score = 100
// 3ca5 | cmp al, 0xa5
// 2c8e | sub al, 0x8e
// a1???????? |
// d528 | aad 0x28
// 32f4 | xor dh, ah
condition:
7 of them and filesize < 1720320
}
