Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
HotelAlfa.yara 802 Bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 
import "pe"

rule HotelAlfa
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "58dab205ecb1e0972027eb92f68cec6d208e5ab5.ex_"

	strings:
	
	$resourceHTML = "RSRC_HTML"
	/*
		8A 0C 18  mov     cl, [eax+ebx]
		80 F1 63  xor     cl, 63h
		88 0C 18  mov     [eax+ebx], cl
		8B 4D 00  mov     ecx, [ebp+0]
		40        inc     eax
		3B C1     cmp     eax, ecx
		72 EF     jb      short loc_4010B4
	*/

	$rscsDecoderLoop = {8A [2] 80 F1 ?? 88 [2] 8B [2] 40 3B ?? 72 EF}

	condition:
		$resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}