Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
IndiaDelta.yara 1.06 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 
import "pe"

rule IndiaDelta
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c"

	strings:
	/*
		FF 15 DC 2D 41 00  call    ReadFile_0
		8B 44 24 20        mov     eax, [esp+25Ch+offsetInFile]
		8B 54 24 1C        mov     edx, [esp+25Ch+dwEmbedCnt]
		35 78 56 34 12     xor     eax, 12345678h
		55                 push    ebp
		55                 push    ebp
		81 F2 78 56 34 12  xor     edx, 12345678h
		50                 push    eax
		57                 push    edi
		89 54 24 2C        mov     [esp+26Ch+dwEmbedCnt], edx
		89 44 24 30        mov     [esp+26Ch+offsetInFile], eax
		FF 15 E0 2D 41 00  call    SetFilePointer_0
	*/

	$a =   {FF 15 [4-12] 3? 78 56 34 12 [0-2] 8? ?? 78 56 34 12 [0-10] FF 15}

	condition:
		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}