// This rule has been modified by @mmorenog
// Original->$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4]}
// Final -> $idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
import "pe"
rule RomeoGolf
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe"
strings:
/*
FF 15 70 80 01 10 call ds:GetTickCount
50 push eax ; unsigned int
E8 80 93 00 00 call _srand
83 C4 04 add esp, 4
E8 85 93 00 00 call _rand
C1 E0 10 shl eax, 10h
89 46 0C mov [esi+0Ch], eax
E8 7A 93 00 00 call _rand
01 46 0C add [esi+0Ch], eax
E8 72 93 00 00 call _rand
C1 E0 10 shl eax, 10h
89 46 08 mov [esi+8], eax
E8 67 93 00 00 call _rand
01 46 08 add [esi+8], eax
*/
$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
condition:
$idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}