1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// This rule has been modified by @mmorenog @yararules to fix some syntax errors, it's not the original rule
import "pe"
rule WhiskeyBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b"
Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13"
strings:
/*
6A 04 push 4 ; MaxCount <--- this arg is not found in some variants (41bad..) as wcscmp is used instead
68 08 82 00 10 push offset Str2 ; ".doc"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp <--- d07... variant uses a direct call instead
83 C4 0C add esp, 0Ch <--- when wcscmp is used, this is add esp, 8
85 C0 test eax, eax
0F 84 5B 02 00 00 jz loc_100017D5
6A 05 push 5 ; MaxCount
68 FC 81 00 10 push offset a_docx ; ".docx"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp
83 C4 0C add esp, 0Ch
85 C0 test eax, eax
0F 84 46 02 00 00 jz loc_100017D5
6A 04 push 4 ; MaxCount
68 F0 81 00 10 push offset a_docm ; ".docm"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp
83 C4 0C add esp, 0Ch
85 C0 test eax, eax
0F 84 31 02 00 00 jz loc_100017D5
6A 04 push 4 ; MaxCount
68 E4 81 00 10 push offset a_wpd ; ".wpd"
56 push esi ; Str1
FF D7 call edi ; _wcsnicmp
*/
$a = {68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 }
$ext1 = ".wpd" wide nocase
$ext2 = ".doc" wide nocase
$ext3 = ".hwp" wide nocase
condition:
2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}