1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import "pe"
rule RomeoBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "95314a7af76ec36cfba1a02b67c2b81526a04e3b2f9b8fb9b383ffcbcc5a3d9b"
strings:
/*
E8 D9 FC FF FF call SendData
83 C4 10 add esp, 10h
85 C0 test eax, eax
74 0A jz short loc_10003FE8
B8 02 00 00 00 mov eax, 2
5E pop esi
83 C4 18 add esp, 18h
C3 retn
6A 78 push 78h ; dwTimeout
6A 01 push 1 ; fDecode
8D 54 24 18 lea edx, [esp+24h+recvData]
6A 0C push 0Ch ; dwLength
52 push edx ; pvBuffer
56 push esi ; skt
E8 57 FD FF FF call RecvData
83 C4 14 add esp, 14h
85 C0 test eax, eax
74 0A jz short loc_1000400A
B8 02 00 00 00 mov eax, 2
*/
$a = {E8 [4] 83 C4 10 85 C0 74 ?? B? 02 00 00 00 5? 83 C4 18 C3 6A 78 6A 01 8D [3] 6A 0C 5? 5? E8 [4] 83 C4 14 85 C0 74 ?? B8 02 00 00 00}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}