{"group":"play","count":1,"rules":[{"rule_name":"Play.yar","rule_text":"rule win_play_auto {\n\n meta:\n author = \"Felix Bilstein - yara-signator at cocacoding dot com\"\n date = \"2023-07-11\"\n version = \"1\"\n description = \"Detects win.play.\"\n info = \"autogenerated rule brought to you by yara-signator\"\n tool = \"yara-signator v0.6.0\"\n signator_config = \"callsandjumps;datarefs;binvalue\"\n malpedia_reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.play\"\n malpedia_rule_date = \"20230705\"\n malpedia_hash = \"42d0574f4405bd7d2b154d321d345acb18834a41\"\n malpedia_version = \"20230715\"\n malpedia_license = \"CC BY-SA 4.0\"\n malpedia_sharing = \"TLP:WHITE\"\n\n /* DISCLAIMER\n * The strings used in this rule have been automatically selected from the\n * disassembly of memory dumps and unpacked files, using YARA-Signator.\n * The code and documentation is published here:\n * https://github.com/fxb-cocacoding/yara-signator\n * As Malpedia is used as data source, please note that for a given\n * number of families, only single samples are documented.\n * This likely impacts the degree of generalization these rules will offer.\n * Take the described generation method also into consideration when you\n * apply the rules in your use cases and assign them confidence levels.\n */\n\n\n strings:\n $sequence_0 = { 8b5d08 8d9328442324 8955e8 8d834f86c861 8d9377caeb85 8955ec 8d5103 }\n // n = 7, score = 100\n // 8b5d08 | mov ebx, dword ptr [ebp + 8]\n // 8d9328442324 | lea edx, [ebx + 0x24234428]\n // 8955e8 | mov dword ptr [ebp - 0x18], edx\n // 8d834f86c861 | lea eax, [ebx + 0x61c8864f]\n // 8d9377caeb85 | lea edx, [ebx - 0x7a143589]\n // 8955ec | mov dword ptr [ebp - 0x14], edx\n // 8d5103 | lea edx, [ecx + 3]\n\n $sequence_1 = { 51 8d147f c1e202 e8???????? 83c408 a3???????? }\n // n = 6, score = 100\n // 51 | push ecx\n // 8d147f | lea edx, [edi + edi*2]\n // c1e202 | shl edx, 2\n // e8???????? | \n // 83c408 | add esp, 8\n // a3???????? | \n\n $sequence_2 = { 8d85b1feffff 03c1 50 8d85a8fdffff 6804010000 50 e8???????? }\n // n = 7, score = 100\n // 8d85b1feffff | lea eax, [ebp - 0x14f]\n // 03c1 | add eax, ecx\n // 50 | push eax\n // 8d85a8fdffff | lea eax, [ebp - 0x258]\n // 6804010000 | push 0x104\n // 50 | push eax\n // e8???????? | \n\n $sequence_3 = { 8a852afeffff 04f6 8885d2feffff 88852afeffff 8d45c8 50 ff35???????? }\n // n = 7, score = 100\n // 8a852afeffff | mov al, byte ptr [ebp - 0x1d6]\n // 04f6 | add al, 0xf6\n // 8885d2feffff | mov byte ptr [ebp - 0x12e], al\n // 88852afeffff | mov byte ptr [ebp - 0x1d6], al\n // 8d45c8 | lea eax, [ebp - 0x38]\n // 50 | push eax\n // ff35???????? | \n\n $sequence_4 = { 899dbcfeffff 83d600 8995b0feffff 89b568feffff 888d82feffff 85d2 7514 }\n // n = 7, score = 100\n // 899dbcfeffff | mov dword ptr [ebp - 0x144], ebx\n // 83d600 | adc esi, 0\n // 8995b0feffff | mov dword ptr [ebp - 0x150], edx\n // 89b568feffff | mov dword ptr [ebp - 0x198], esi\n // 888d82feffff | mov byte ptr [ebp - 0x17e], cl\n // 85d2 | test edx, edx\n // 7514 | jne 0x16\n\n $sequence_5 = { c78580fdffff2d51be07 c78584fdffff2f3de01e c78588fdffff760ba609 c7858cfdffff6b188d10 c78590fdffff8739684e c78594fdffff88540000 0f118550fcffff }\n // n = 7, score = 100\n // c78580fdffff2d51be07 | mov dword ptr [ebp - 0x280], 0x7be512d\n // c78584fdffff2f3de01e | mov dword ptr [ebp - 0x27c], 0x1ee03d2f\n // c78588fdffff760ba609 | mov dword ptr [ebp - 0x278], 0x9a60b76\n // c7858cfdffff6b188d10 | mov dword ptr [ebp - 0x274], 0x108d186b\n // c78590fdffff8739684e | mov dword ptr [ebp - 0x270], 0x4e683987\n // c78594fdffff88540000 | mov dword ptr [ebp - 0x26c], 0x5488\n // 0f118550fcffff | movups xmmword ptr [ebp - 0x3b0], xmm0\n\n $sequence_6 = { 40 6603f2 83f810 7cf0 0fb7c6 ba10000000 }\n // n = 6, score = 100\n // 40 | inc eax\n // 6603f2 | add si, dx\n // 83f810 | cmp eax, 0x10\n // 7cf0 | jl 0xfffffff2\n // 0fb7c6 | movzx eax, si\n // ba10000000 | mov edx, 0x10\n\n $sequence_7 = { 6809ed1c23 b6b7 92 e2a8 fc f622 94 }\n // n = 7, score = 100\n // 6809ed1c23 | push 0x231ced09\n // b6b7 | mov dh, 0xb7\n // 92 | xchg eax, edx\n // e2a8 | loop 0xffffffaa\n // fc | cld \n // f622 | mul byte ptr [edx]\n // 94 | xchg eax, esp\n\n $sequence_8 = { 660fd645e0 b9???????? e8???????? 83c408 8d55d0 8bcf e8???????? }\n // n = 7, score = 100\n // 660fd645e0 | movq qword ptr [ebp - 0x20], xmm0\n // b9???????? | \n // e8???????? | \n // 83c408 | add esp, 8\n // 8d55d0 | lea edx, [ebp - 0x30]\n // 8bcf | mov ecx, edi\n // e8???????? | \n\n $sequence_9 = { 8b45b0 895db8 c745d801000000 8b048580d24200 8945d0 81f9e9fd0000 0f852d010000 }\n // n = 7, score = 100\n // 8b45b0 | mov eax, dword ptr [ebp - 0x50]\n // 895db8 | mov dword ptr [ebp - 0x48], ebx\n // c745d801000000 | mov dword ptr [ebp - 0x28], 1\n // 8b048580d24200 | mov eax, dword ptr [eax*4 + 0x42d280]\n // 8945d0 | mov dword ptr [ebp - 0x30], eax\n // 81f9e9fd0000 | cmp ecx, 0xfde9\n // 0f852d010000 | jne 0x133\n\n condition:\n 7 of them and filesize < 389120\n}","sha256":"0cbd1f4716deb9c4cd3e44612509c9ad33738f65926b6943bd3df599a58e6b6a","byte_size":7808,"updated_at":"2026-06-24 05:16:04"}]}