rule win_play_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.play."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8b5d08 8d9328442324 8955e8 8d834f86c861 8d9377caeb85 8955ec 8d5103 }
// n = 7, score = 100
// 8b5d08 | mov ebx, dword ptr [ebp + 8]
// 8d9328442324 | lea edx, [ebx + 0x24234428]
// 8955e8 | mov dword ptr [ebp - 0x18], edx
// 8d834f86c861 | lea eax, [ebx + 0x61c8864f]
// 8d9377caeb85 | lea edx, [ebx - 0x7a143589]
// 8955ec | mov dword ptr [ebp - 0x14], edx
// 8d5103 | lea edx, [ecx + 3]
$sequence_1 = { 51 8d147f c1e202 e8???????? 83c408 a3???????? }
// n = 6, score = 100
// 51 | push ecx
// 8d147f | lea edx, [edi + edi*2]
// c1e202 | shl edx, 2
// e8???????? |
// 83c408 | add esp, 8
// a3???????? |
$sequence_2 = { 8d85b1feffff 03c1 50 8d85a8fdffff 6804010000 50 e8???????? }
// n = 7, score = 100
// 8d85b1feffff | lea eax, [ebp - 0x14f]
// 03c1 | add eax, ecx
// 50 | push eax
// 8d85a8fdffff | lea eax, [ebp - 0x258]
// 6804010000 | push 0x104
// 50 | push eax
// e8???????? |
$sequence_3 = { 8a852afeffff 04f6 8885d2feffff 88852afeffff 8d45c8 50 ff35???????? }
// n = 7, score = 100
// 8a852afeffff | mov al, byte ptr [ebp - 0x1d6]
// 04f6 | add al, 0xf6
// 8885d2feffff | mov byte ptr [ebp - 0x12e], al
// 88852afeffff | mov byte ptr [ebp - 0x1d6], al
// 8d45c8 | lea eax, [ebp - 0x38]
// 50 | push eax
// ff35???????? |
$sequence_4 = { 899dbcfeffff 83d600 8995b0feffff 89b568feffff 888d82feffff 85d2 7514 }
// n = 7, score = 100
// 899dbcfeffff | mov dword ptr [ebp - 0x144], ebx
// 83d600 | adc esi, 0
// 8995b0feffff | mov dword ptr [ebp - 0x150], edx
// 89b568feffff | mov dword ptr [ebp - 0x198], esi
// 888d82feffff | mov byte ptr [ebp - 0x17e], cl
// 85d2 | test edx, edx
// 7514 | jne 0x16
$sequence_5 = { c78580fdffff2d51be07 c78584fdffff2f3de01e c78588fdffff760ba609 c7858cfdffff6b188d10 c78590fdffff8739684e c78594fdffff88540000 0f118550fcffff }
// n = 7, score = 100
// c78580fdffff2d51be07 | mov dword ptr [ebp - 0x280], 0x7be512d
// c78584fdffff2f3de01e | mov dword ptr [ebp - 0x27c], 0x1ee03d2f
// c78588fdffff760ba609 | mov dword ptr [ebp - 0x278], 0x9a60b76
// c7858cfdffff6b188d10 | mov dword ptr [ebp - 0x274], 0x108d186b
// c78590fdffff8739684e | mov dword ptr [ebp - 0x270], 0x4e683987
// c78594fdffff88540000 | mov dword ptr [ebp - 0x26c], 0x5488
// 0f118550fcffff | movups xmmword ptr [ebp - 0x3b0], xmm0
$sequence_6 = { 40 6603f2 83f810 7cf0 0fb7c6 ba10000000 }
// n = 6, score = 100
// 40 | inc eax
// 6603f2 | add si, dx
// 83f810 | cmp eax, 0x10
// 7cf0 | jl 0xfffffff2
// 0fb7c6 | movzx eax, si
// ba10000000 | mov edx, 0x10
$sequence_7 = { 6809ed1c23 b6b7 92 e2a8 fc f622 94 }
// n = 7, score = 100
// 6809ed1c23 | push 0x231ced09
// b6b7 | mov dh, 0xb7
// 92 | xchg eax, edx
// e2a8 | loop 0xffffffaa
// fc | cld
// f622 | mul byte ptr [edx]
// 94 | xchg eax, esp
$sequence_8 = { 660fd645e0 b9???????? e8???????? 83c408 8d55d0 8bcf e8???????? }
// n = 7, score = 100
// 660fd645e0 | movq qword ptr [ebp - 0x20], xmm0
// b9???????? |
// e8???????? |
// 83c408 | add esp, 8
// 8d55d0 | lea edx, [ebp - 0x30]
// 8bcf | mov ecx, edi
// e8???????? |
$sequence_9 = { 8b45b0 895db8 c745d801000000 8b048580d24200 8945d0 81f9e9fd0000 0f852d010000 }
// n = 7, score = 100
// 8b45b0 | mov eax, dword ptr [ebp - 0x50]
// 895db8 | mov dword ptr [ebp - 0x48], ebx
// c745d801000000 | mov dword ptr [ebp - 0x28], 1
// 8b048580d24200 | mov eax, dword ptr [eax*4 + 0x42d280]
// 8945d0 | mov dword ptr [ebp - 0x30], eax
// 81f9e9fd0000 | cmp ecx, 0xfde9
// 0f852d010000 | jne 0x133
condition:
7 of them and filesize < 389120
}
