From e94d0398c8c8e20ef410c6f91d12050e33f54f04 Mon Sep 17 00:00:00 2001 From: Piotr Szczepanski Date: Wed, 15 Apr 2020 14:52:55 +0200 Subject: [PATCH 1/2] Added detection of 64-bit bit programs protected with Enigma. Enigma protector offers a separate tool to protect 64-bit binaries. Such binaries have a different signature from the 32-bit versions. This addition will ensure the 64-bit versions will be properly detected. --- support/yara_patterns/tools/pe/x64/packers.yara | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/support/yara_patterns/tools/pe/x64/packers.yara b/support/yara_patterns/tools/pe/x64/packers.yara index 3f58c33cd..d65853d04 100644 --- a/support/yara_patterns/tools/pe/x64/packers.yara +++ b/support/yara_patterns/tools/pe/x64/packers.yara @@ -5,6 +5,18 @@ import "pe" +rule enigma_1x { + meta: + tool = "P" + name = "Enigma" + version = "1.x+ (64-bit)" + pattern = "5051525355565741504151415241534154415541564157489C4881EC080000000FAE1C24E8000000005D4881ED??0000004881ED" + strings: + $1 = { 50 51 52 53 55 56 57 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 48 9C 48 81 EC 08 00 00 00 0F AE 1C 24 E8 00 00 00 00 5D 48 81 ED ?? 00 00 00 48 81 ED } + condition: + @1 < pe.overlay.offset or $1 +} + rule upx_39x_lzma { meta: tool = "P" From cf379f4db9d6eabc3a62f2207b193119b2954294 Mon Sep 17 00:00:00 2001 From: Piotr Szczepanski Date: Wed, 15 Apr 2020 14:57:21 +0200 Subject: [PATCH 2/2] Improve the detection of Enigma protector (32-bit). The following changes ensure that previously undetected versions, and hopefully future versions as well, are properly detected as Enigma. --- .../yara_patterns/tools/pe/x86/packers.yara | 30 +++++++++++++++++-- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara index ad283abb5..e212b60b1 100644 --- a/support/yara_patterns/tools/pe/x86/packers.yara +++ b/support/yara_patterns/tools/pe/x86/packers.yara @@ -4786,16 +4786,28 @@ rule encryptpe_22008618_02 { $1 at pe.entry_point } -rule enigma_protector_102 { +rule enigma_0x { meta: tool = "P" - name = "Enigma protector" + name = "Enigma" + version = "0.x beta" + pattern = "60E824000000??????EB02????8B44240C8380B80000000331C0C383C008EB02????89C461EB2E??????83042403EB01??31C0EB01??64FF30EB01??648920EB02????8900" + strings: + $1 = { 60 E8 24 00 00 00 ?? ?? ?? EB 02 ?? ?? 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 ?? ?? 89 C4 61 EB 2E ?? ?? ?? 83 04 24 03 EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? 89 00 } + condition: + @1 < pe.overlay.offset or $1 +} + +rule enigma_102 { + meta: + tool = "P" + name = "Enigma" version = "1.02" pattern = "60E8000000005D83ED0681ED??????????????????????????????????????????????????????????????????????E8010000009A83C404EB02FF3560E8240000000000FFEB02CD208B44240C8380B80000000331C0C383C008EB02FF1589C461EB2EEAEB2B83042403EB010031C0EB018564FF30EB0183648920EB02CD2089009A648F0500000000EB02C1905861EB013EBE01000000C1E60283EC0487DE891C24" strings: $1 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E BE 01 00 00 00 C1 E6 02 83 EC 04 87 DE 89 1C 24 } condition: - $1 at pe.entry_point + @1 < pe.overlay.offset or $1 } rule enigma_11x { @@ -4870,6 +4882,18 @@ rule enigma_1x_02 { $1 at pe.entry_point } +rule enigma_1x_03 { + meta: + tool = "P" + name = "Enigma" + version = "1.x+" + pattern = "60E8000000005D81ED0600000081ED????????E9??000000454E49474D41" + strings: + $1 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 81 ED ?? ?? ?? ?? E9 ?? 00 00 00 45 4E 49 47 4D 41 } + condition: + @1 < pe.overlay.offset or $1 +} + rule enigma_131 { meta: tool = "P"