1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import "pe"
rule IndiaWhiskey
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "0c729deec341267c5a9a2271f20266ac3b0775d70436c7770ddc20605088f3b4"
Description = "Winsec Installer"
strings:
/*
// Service installation code
FF 15 68 30 40 00 call ds:wsprintfA
83 C4 18 add esp, 18h
8D 85 FC FE FF FF lea eax, [ebp+var_104]
56 push esi
56 push esi
56 push esi
56 push esi
56 push esi
50 push eax
6A 01 push 1
// some variants have these two lines added
5E pop esi
56 push esi
6A 02 push 2
68 20 01 00 00 push 120h
68 FF 01 0F 00 push 0F01FFh
FF 75 0C push [ebp+arg_4]
FF 75 08 push [ebp+arg_0]
// some variants have the next line as a push {reg} or push {stack var}
53 push ebx
//or
FF 75 FC push [ebp+var_4]
FF 15 E4 49 40 00 call CreateServiceA
*/
$a = {
FF 15 [4]
83 C4 18
8D [5]
5?
5?
5?
5?
5?
5?
6A 01
[0-2]
6A 02
68 20 01 00 00
68 FF 01 0F 00
FF 75 ??
FF 75 ??
(5? | FF 75 ??)
FF 15
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}