Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
LimaAlfa.yara 1.01 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 
import "pe"

rule LimaAlfa
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "c9fbad7fc7ff7688776056be3a41714a1f91458a7b16c37c3c906d17daac2c8b"
		Status = "Signature is too loose to be useful."

	strings:
	/*
		33 C0              xor     eax, eax
		66 8B 02           mov     ax, [edx]
		8B E8              mov     ebp, eax
		81 E5 00 F0 FF FF  and     ebp, 0FFFFF000h
		81 FD 00 30 00 00  cmp     ebp, 3000h
		75 0D              jnz     short loc_4019FB
		8B 6C 24 18        mov     ebp, [esp+10h+arg_4]
		25 FF 0F 00 00     and     eax, 0FFFh
		03 C7              add     eax, edi
		01 28              add     [eax], ebp
	*/

	$a = {33 C0 66 [2] 8B ?? 81 ?? 00 F0 FF FF 81 ?? 00 30 00 00 75 ?? 8B [3] 25 FF 0F 00 00 03 C7 01}

	condition:
		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}