[Community-sigs] new sig for Win.Dropper.Necurs

andreisaygo at live.ie andreisaygo at live.ie
Wed Dec 3 11:51:13 EST 2014 

Signature:
Win.Dropper.Necurs;Target:1;0&(1|2);8B45088945F4C645????EB078B45F4408945F40FBE45??8945??*C645??008B45F40FBE000FBE4D??33C8884D??E9????FFFF;C685??FDFFFF94C685??FDFFFFE2C685??FDFFFFCEC685??FDFFFFA6C685??FDFFFF39C685??FDFFFFD5C685??FDFFFF7FC685??FDFFFF5EC685??FDFFFF61C685??FDFFFF52C685??FDFFFFB9;C68570FDFFFF??C68571FDFFFF??C68572FDFFFF??C68573FDFFFF??C68574FDFFFF??C68575FDFFFF??C68576FDFFFF??C68577FDFFFF??C68578FDFFFF??C68579FDFFFF??C6857AFDFFFF??



Hashes
MD5: 80e090c484d6fd131baaafbfdbf109b4  
SHA1: eb8760d513e957d7871915877534ce9402737799  
SHA256: a85101aaa1863d119847f1cc8271343d1a911f304641a02af953c17ecdae84d6

Sig0:
004023AB 8B 45 08                mov     eax, [ebp+arg_0]   ;eax - encrypted string
004023AE 89 45 F4                mov     [ebp+var_C], eax

004023B1 C6 45 ?? ??             mov     [ebp+var_17], 2
004023B5 EB 07                   jmp     short loc_4023BE
004023B7                         loc_4023B7:
004023B7 8B 45 F4                mov     eax, [ebp+var_C]
004023BA 40                      inc     eax
004023BB 89 45 F4                mov     [ebp+var_C], eax
004023BE                         loc_4023BE:
004023BE 0F BE 45 ??             movsx   eax, [ebp+var_17]
004023C2 89 45 ??                mov     [ebp+var_3C], eax
(...)
004025AA C6 45 ?? 00             mov     [ebp+var_17], 0
004025AE 8B 45 F4                mov     eax, [ebp+var_C]
004025B1 0F BE 00                movsx   eax, byte ptr [eax]
004025B4 0F BE 4D ??             movsx   ecx, [ebp+var_17]
004025B8 33 C8                   xor     ecx, eax
004025BA 88 4D ??                mov     [ebp+var_17], cl
004025BD E9 ?? ?? FF FF          jmp     loc_4023B7



Sig1 and 2 are the same, just wildcarded either the local vars or the written bytes:
040325E C6 85 70 FD FF FF 94    mov     byte ptr [ebp-290h], 94h
00403265 C6 85 71 FD FF FF E2    mov     byte ptr [ebp-28Fh], 0E2h
0040326C C6 85 72 FD FF FF CE    mov     byte ptr [ebp-28Eh], 0CEh
00403273 C6 85 73 FD FF FF A6    mov     byte ptr [ebp-28Dh], 0A6h
0040327A C6 85 74 FD FF FF 39    mov     byte ptr [ebp-28Ch], 39h
00403281 C6 85 75 FD FF FF D5    mov     byte ptr [ebp-28Bh], 0D5h
00403288 C6 85 76 FD FF FF 7F    mov     byte ptr [ebp-28Ah], 7Fh
0040328F C6 85 77 FD FF FF 5E    mov     byte ptr [ebp-289h], 5Eh
00403296 C6 85 78 FD FF FF 61    mov     byte ptr [ebp-288h], 61h
0040329D C6 85 79 FD FF FF 52    mov     byte ptr [ebp-287h], 52h
004032A4 C6 85 7A FD FF FF B9    mov     byte ptr [ebp-286h], 0B9h

Regards,
Andrei Saygo

More information about the Community-sigs mailing list