Skip to content

Commit 6fc8f09

Browse files
jconnor0426jconnor0426
committed
Adding in expected yara files for match-2-yar tests
1 parent cf96511 commit 6fc8f09

6 files changed

Lines changed: 17634 additions & 0 deletions

yara/expected_1c444ebe_692f7fd6.yar

Lines changed: 1651 additions & 0 deletions
Large diffs are not rendered by default.

yara/expected_1c444ebeba24dcba8628b7dfe5fec7c6.exe_.yar

Lines changed: 1409 additions & 0 deletions
Large diffs are not rendered by default.

yara/expected_9324d1a8ae37a36ae560c37448c9705a.exe_.yar

Lines changed: 7005 additions & 0 deletions
Large diffs are not rendered by default.

yara/expected_c2bb17c12975e.yar

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
rule super_rule_50580
2+
{
3+
meta:
4+
author = "CAPA Matches"
5+
date_created = "2023-08-10"
6+
date_modified = "2023-08-10"
7+
description = ""
8+
md5 = "50580ef0b882905316c4569162ea07d9"
9+
strings:
10+
/*
11+
Basic Block at 0x140001040@50580ef0b882905316c4569162ea07d9 with 1 features:
12+
- encode data using XOR
13+
.text:0x140001040 loc_140001040: [1 XREFS]
14+
.text:0x140001040 f30f6f0439 movdqu xmm0,oword [rcx + rdi]
15+
.text:0x140001045 660fefc2 pxor xmm0,xmm2
16+
.text:0x140001049 f30f7f0439 movdqu oword [rcx + rdi],xmm0
17+
.text:0x14000104e f30f6f4c3910 movdqu xmm1,oword [rcx + rdi + 16]
18+
.text:0x140001054 660fefca pxor xmm1,xmm2
19+
.text:0x140001058 f30f7f4c3910 movdqu oword [rcx + rdi + 16],xmm1
20+
.text:0x14000105e f30f6f443920 movdqu xmm0,oword [rcx + rdi + 32]
21+
.text:0x140001064 660fefc2 pxor xmm0,xmm2
22+
.text:0x140001068 f30f7f443920 movdqu oword [rcx + rdi + 32],xmm0
23+
.text:0x14000106e f30f6f443930 movdqu xmm0,oword [rcx + rdi + 48]
24+
.text:0x140001074 660fefc2 pxor xmm0,xmm2
25+
.text:0x140001078 f30f7f443930 movdqu oword [rcx + rdi + 48],xmm0
26+
.text:0x14000107e 4883c140 add rcx,64
27+
.text:0x140001082 483bc8 cmp rcx,rax
28+
.text:0x140001085 7cb9 jl 0x140001040
29+
*/
30+
$c0 = { F3 0F 6F 04 39 66 0F EF C2 F3 0F 7F 04 39 F3 0F 6F 4C 39 ?? 66 0F EF CA F3 0F 7F 4C 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? 48 83 C1 40 48 3B C8 7C ?? }
31+
/*
32+
Basic Block at 0x140001090@50580ef0b882905316c4569162ea07d9 with 1 features:
33+
- encode data using XOR
34+
.text:0x140001090 loc_140001090: [1 XREFS]
35+
.text:0x140001090 80343862 xor byte [rax + rdi],98
36+
.text:0x140001094 48ffc0 inc rax
37+
.text:0x140001097 483d1f030000 cmp rax,799
38+
.text:0x14000109d 7cf1 jl 0x140001090
39+
*/
40+
$c1 = { 80 34 38 62 48 FF C0 48 3D 1F 03 00 00 7C ?? }
41+
/*
42+
Basic Block at 0x14000109f@50580ef0b882905316c4569162ea07d9 with 1 features:
43+
- allocate RWX memory
44+
.text:0x14000109f 33c9 xor ecx,ecx
45+
.text:0x1400010a1 ba1f030000 mov edx,799
46+
.text:0x1400010a6 41b800100000 mov r8d,0x00001000
47+
.text:0x1400010ac 448d4940 lea r9d,dword [rcx + 64]
48+
.text:0x1400010b0 ff154a0f0000 call qword [rip + 3914] ;kernel32.VirtualAlloc(0,799,0x00001000,64)
49+
.text:0x1400010b6 41b81f030000 mov r8d,799
50+
.text:0x1400010bc 488bd7 mov rdx,rdi
51+
.text:0x1400010bf 488bc8 mov rcx,rax
52+
.text:0x1400010c2 488bd8 mov rbx,rax
53+
.text:0x1400010c5 e8650d0000 call 0x140001e2f ;memmove_140001e2f()
54+
.text:0x1400010ca 488d0d7f110000 lea rcx,qword [rip + 4479]
55+
.text:0x1400010d1 c744242020000000 mov dword [rsp + 32],32
56+
.text:0x1400010d9 c744242401000000 mov dword [rsp + 36],1
57+
.text:0x1400010e1 48c7442428000000 mov qword [rsp + 40],0
58+
.text:0x1400010ea 48895c2430 mov qword [rsp + 48],rbx
59+
.text:0x1400010ef 48c7442438000000 mov qword [rsp + 56],0
60+
.text:0x1400010f8 ff150a0f0000 call qword [rip + 3850] ;kernel32.DeleteFileW(0x140002250)
61+
.text:0x1400010fe 4c8d442420 lea r8,qword [rsp + 32]
62+
.text:0x140001103 488d1546110000 lea rdx,qword [rip + 4422]
63+
.text:0x14000110a 488d0d77110000 lea rcx,qword [rip + 4471]
64+
.text:0x140001111 ff15f90e0000 call qword [rip + 3833] ;UnknownApi()
65+
.text:0x140001117 33c0 xor eax,eax
66+
.text:0x140001119 488b4c2440 mov rcx,qword [rsp + 64]
67+
.text:0x14000111e 4833cc xor rcx,rsp
68+
.text:0x140001121 e82a000000 call 0x140001150 ;__security_check_cookie(0x2b992ddfa232)
69+
.text:0x140001126 488b5c2460 mov rbx,qword [rsp + 96]
70+
.text:0x14000112b 4883c450 add rsp,80
71+
.text:0x14000112f 5f pop rdi
72+
.text:0x140001130 c3 ret
73+
*/
74+
$c2 = { 33 C9 BA 1F 03 00 00 41 B8 00 10 00 00 44 8D 49 ?? FF 15 ?? ?? ?? ?? 41 B8 1F 03 00 00 48 8B D7 48 8B C8 48 8B D8 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? C7 44 24 ?? 20 00 00 00 C7 44 24 ?? 01 00 00 00 48 C7 44 24 ?? 00 00 00 00 48 89 5C 24 ?? 48 C7 44 24 ?? 00 00 00 00 FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 48 8B 4C 24 ?? 48 33 CC E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 C4 50 5F C3 }
75+
/*
76+
function at 0x140001010@50580ef0b882905316c4569162ea07d9 with 3 features:
77+
- copy file
78+
- delete file
79+
- execute shellcode via CopyFile2
80+
.text:0x140001010
81+
.text:0x140001010 FUNC: int msx64call sub_140001010( ) [2 XREFS]
82+
.text:0x140001010
83+
.text:0x140001010 Stack Variables: (offset from initial top of stack)
84+
.text:0x140001010 32: void * shadow3
85+
.text:0x140001010 24: void * shadow2
86+
.text:0x140001010 16: void * shadow1
87+
.text:0x140001010 8: void * shadow0
88+
.text:0x140001010 -24: int local24
89+
.text:0x140001010 -32: int local32
90+
.text:0x140001010 -40: int local40
91+
.text:0x140001010 -48: int local48
92+
.text:0x140001010 -52: int local52
93+
.text:0x140001010 -56: int local56
94+
.text:0x140001010
95+
.text:0x140001010 48895c2408 mov qword [rsp + 8],rbx
96+
.text:0x140001015 57 push rdi
97+
.text:0x140001016 4883ec50 sub rsp,80
98+
.text:0x14000101a 488b05df1f0000 mov rax,qword [rip + 8159]
99+
.text:0x140001021 4833c4 xor rax,rsp
100+
.text:0x140001024 4889442440 mov qword [rsp + 64],rax
101+
.text:0x140001029 660f6f158f120000 movdqa xmm2,oword [rip + 4751]
102+
.text:0x140001031 488d3d08200000 lea rdi,qword [rip + 8200]
103+
.text:0x140001038 33c9 xor ecx,ecx
104+
.text:0x14000103a b800030000 mov eax,768
105+
.text:0x14000103f 90 nop
106+
.text:0x140001040 loc_140001040: [1 XREFS]
107+
.text:0x140001040 f30f6f0439 movdqu xmm0,oword [rcx + rdi]
108+
.text:0x140001045 660fefc2 pxor xmm0,xmm2
109+
.text:0x140001049 f30f7f0439 movdqu oword [rcx + rdi],xmm0
110+
.text:0x14000104e f30f6f4c3910 movdqu xmm1,oword [rcx + rdi + 16]
111+
.text:0x140001054 660fefca pxor xmm1,xmm2
112+
.text:0x140001058 f30f7f4c3910 movdqu oword [rcx + rdi + 16],xmm1
113+
.text:0x14000105e f30f6f443920 movdqu xmm0,oword [rcx + rdi + 32]
114+
.text:0x140001064 660fefc2 pxor xmm0,xmm2
115+
.text:0x140001068 f30f7f443920 movdqu oword [rcx + rdi + 32],xmm0
116+
.text:0x14000106e f30f6f443930 movdqu xmm0,oword [rcx + rdi + 48]
117+
.text:0x140001074 660fefc2 pxor xmm0,xmm2
118+
.text:0x140001078 f30f7f443930 movdqu oword [rcx + rdi + 48],xmm0
119+
.text:0x14000107e 4883c140 add rcx,64
120+
.text:0x140001082 483bc8 cmp rcx,rax
121+
.text:0x140001085 7cb9 jl 0x140001040
122+
.text:0x140001087 660f1f8400000000 nop word [rax + rax]
123+
.text:0x140001090 loc_140001090: [1 XREFS]
124+
.text:0x140001090 80343862 xor byte [rax + rdi],98
125+
.text:0x140001094 48ffc0 inc rax
126+
.text:0x140001097 483d1f030000 cmp rax,799
127+
.text:0x14000109d 7cf1 jl 0x140001090
128+
.text:0x14000109f 33c9 xor ecx,ecx
129+
.text:0x1400010a1 ba1f030000 mov edx,799
130+
.text:0x1400010a6 41b800100000 mov r8d,0x00001000
131+
.text:0x1400010ac 448d4940 lea r9d,dword [rcx + 64]
132+
.text:0x1400010b0 ff154a0f0000 call qword [rip + 3914] ;kernel32.VirtualAlloc(0,799,0x00001000,64)
133+
.text:0x1400010b6 41b81f030000 mov r8d,799
134+
.text:0x1400010bc 488bd7 mov rdx,rdi
135+
.text:0x1400010bf 488bc8 mov rcx,rax
136+
.text:0x1400010c2 488bd8 mov rbx,rax
137+
.text:0x1400010c5 e8650d0000 call 0x140001e2f ;memmove_140001e2f()
138+
.text:0x1400010ca 488d0d7f110000 lea rcx,qword [rip + 4479]
139+
.text:0x1400010d1 c744242020000000 mov dword [rsp + 32],32
140+
.text:0x1400010d9 c744242401000000 mov dword [rsp + 36],1
141+
.text:0x1400010e1 48c7442428000000 mov qword [rsp + 40],0
142+
.text:0x1400010ea 48895c2430 mov qword [rsp + 48],rbx
143+
.text:0x1400010ef 48c7442438000000 mov qword [rsp + 56],0
144+
.text:0x1400010f8 ff150a0f0000 call qword [rip + 3850] ;kernel32.DeleteFileW(0x140002250)
145+
.text:0x1400010fe 4c8d442420 lea r8,qword [rsp + 32]
146+
.text:0x140001103 488d1546110000 lea rdx,qword [rip + 4422]
147+
.text:0x14000110a 488d0d77110000 lea rcx,qword [rip + 4471]
148+
.text:0x140001111 ff15f90e0000 call qword [rip + 3833] ;UnknownApi()
149+
.text:0x140001117 33c0 xor eax,eax
150+
.text:0x140001119 488b4c2440 mov rcx,qword [rsp + 64]
151+
.text:0x14000111e 4833cc xor rcx,rsp
152+
.text:0x140001121 e82a000000 call 0x140001150 ;__security_check_cookie(0x2b992ddfa232)
153+
.text:0x140001126 488b5c2460 mov rbx,qword [rsp + 96]
154+
.text:0x14000112b 4883c450 add rsp,80
155+
.text:0x14000112f 5f pop rdi
156+
.text:0x140001130 c3 ret
157+
*/
158+
$c3 = { 48 89 5C 24 ?? 57 48 83 EC 50 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 44 24 ?? 66 0F 6F 15 ?? ?? 00 00 48 8D 3D ?? ?? ?? ?? 33 C9 B8 00 03 00 00 90 F3 0F 6F 04 39 66 0F EF C2 F3 0F 7F 04 39 F3 0F 6F 4C 39 ?? 66 0F EF CA F3 0F 7F 4C 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? 48 83 C1 40 48 3B C8 7C ?? 66 0F 1F 84 00 ?? ?? 00 00 80 34 38 62 48 FF C0 48 3D 1F 03 00 00 7C ?? 33 C9 BA 1F 03 00 00 41 B8 00 10 00 00 44 8D 49 ?? FF 15 ?? ?? ?? ?? 41 B8 1F 03 00 00 48 8B D7 48 8B C8 48 8B D8 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? C7 44 24 ?? 20 00 00 00 C7 44 24 ?? 01 00 00 00 48 C7 44 24 ?? 00 00 00 00 48 89 5C 24 ?? 48 C7 44 24 ?? 00 00 00 00 FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 48 8B 4C 24 ?? 48 33 CC E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 C4 50 5F C3 }
159+
/*
160+
function at 0x140001a24@50580ef0b882905316c4569162ea07d9 with 1 features:
161+
- parse PE header
162+
.text:0x140001a24
163+
.text:0x140001a24 FUNC: int msx64call sub_140001a24( ) [2 XREFS]
164+
.text:0x140001a24
165+
.text:0x140001a24 Stack Variables: (offset from initial top of stack)
166+
.text:0x140001a24 32: void * shadow3
167+
.text:0x140001a24 24: void * shadow2
168+
.text:0x140001a24 16: void * shadow1
169+
.text:0x140001a24 8: void * shadow0
170+
.text:0x140001a24
171+
.text:0x140001a24 4883ec28 sub rsp,40
172+
.text:0x140001a28 33c9 xor ecx,ecx
173+
.text:0x140001a2a ff1518060000 call qword [rip + 1560] ;kernel32.GetModuleHandleW(0)
174+
.text:0x140001a30 4885c0 test rax,rax
175+
.text:0x140001a33 7439 jz 0x140001a6e
176+
.text:0x140001a35 b94d5a0000 mov ecx,0x00005a4d
177+
.text:0x140001a3a 663908 cmp word [rax],cx
178+
.text:0x140001a3d 752f jnz 0x140001a6e
179+
.text:0x140001a3f 4863483c movsxd rcx,dword [rax + 60]
180+
.text:0x140001a43 4803c8 add rcx,rax
181+
.text:0x140001a46 813950450000 cmp dword [rcx],0x00004550
182+
.text:0x140001a4c 7520 jnz 0x140001a6e
183+
.text:0x140001a4e b80b020000 mov eax,523
184+
.text:0x140001a53 66394118 cmp word [rcx + 24],ax
185+
.text:0x140001a57 7515 jnz 0x140001a6e
186+
.text:0x140001a59 83b9840000000e cmp dword [rcx + 132],14
187+
.text:0x140001a60 760c jbe 0x140001a6e
188+
.text:0x140001a62 83b9f800000000 cmp dword [rcx + 248],0
189+
.text:0x140001a69 0f95c0 setnz al
190+
.text:0x140001a6c eb02 jmp 0x140001a70
191+
.text:0x140001a6e loc_140001a6e: [5 XREFS]
192+
.text:0x140001a6e 32c0 xor al,al
193+
.text:0x140001a70 loc_140001a70: [1 XREFS]
194+
.text:0x140001a70 4883c428 add rsp,40
195+
.text:0x140001a74 c3 ret
196+
*/
197+
$c4 = { 48 83 EC 28 33 C9 FF 15 ?? ?? ?? ?? 48 85 C0 74 ?? B9 4D 5A 00 00 66 39 08 75 ?? 48 63 48 ?? 48 03 C8 81 39 50 45 00 00 75 ?? B8 0B 02 00 00 66 39 41 ?? 75 ?? 83 B9 ?? ?? ?? ?? 0E 76 ?? 83 B9 ?? ?? ?? ?? 00 0F 95 C0 EB ?? 32 C0 48 83 C4 28 C3 }
198+
condition:
199+
all of them
200+
}
201+

0 commit comments

Comments
 (0)