1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import "pe"
rule WhiskeyCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "47ff4f73738acc2f8433dccb2caf980d7444d723ccf2968d69f88f8f96405f96"
strings:
/*
66 89 55 DC mov [ebp+SystemTime.wYear], dx
E8 1E 16 00 00 call _rand
6A 0C push 0Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
42 inc edx
66 89 55 DE mov [ebp+SystemTime.wMonth], dx
E8 0E 16 00 00 call _rand
6A 1C push 1Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
42 inc edx
66 89 55 E2 mov [ebp+SystemTime.wDay], dx
E8 FE 15 00 00 call _rand
6A 18 push 18h
99 cdq
59 pop ecx
F7 F9 idiv ecx
66 89 55 E4 mov [ebp+SystemTime.wHour], dx
E8 EF 15 00 00 call _rand
6A 3C push 3Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
66 89 55 E6 mov [ebp+SystemTime.wMinute], dx
E8 E0 15 00 00 call _rand
6A 3C push 3Ch
99 cdq
59 pop ecx
F7 F9 idiv ecx
*/
$a = {66 89 55 DC E8 [4] 6A 0C 99 59 F7 F9 42 66 89 55 DE E8 [4] 6A 1C 99 59 F7 F9 42 66 89 55 E2 E8 [4] 6A 18 99 59 F7 F9 66 89 55 E4 E8 [4] 6A 3C 99 59 F7 F9 66 89 55 E6 E8 [4] 6A 3C 99 59 F7 F9 }
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}