Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
TangoBravo.yara 1.08 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 
import "pe"

rule TangoBravo
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896"

	strings:
	/*
		50                 push    eax             ; SubStr
		55                 push    ebp             ; Str
		FF D3              call    ebx ; strstr
		83 C4 08           add     esp, 8
		85 C0              test    eax, eax
		75 1A              jnz     short loc_401131
		8A 8E 08 01 00 00  mov     cl, [esi+108h]
		81 C6 08 01 00 00  add     esi, 108h
		47                 inc     edi
		8B C6              mov     eax, esi
		84 C9              test    cl, cl
		75 E2              jnz     short loc_40110C
	*/

	$targetDomainCheck = {5? 5? FF ?? 83 C4 08 85 C0 75 ?? 8? ?? 08 01 00 00 8? ?? 08 01 00 00 4? 8B ?? 84 ?? 75  }

	condition:
		$targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}