1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import "pe"
rule IndiaWhiskey
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "0c729deec341267c5a9a2271f20266ac3b0775d70436c7770ddc20605088f3b4"
Description = "Winsec Installer"
strings:
/*
// Service installation code
FF 15 68 30 40 00 call ds:wsprintfA
83 C4 18 add esp, 18h
8D 85 FC FE FF FF lea eax, [ebp+var_104]
56 push esi
56 push esi
56 push esi
56 push esi
56 push esi
50 push eax
6A 01 push 1
// some variants have these two lines added
5E pop esi
56 push esi
6A 02 push 2
68 20 01 00 00 push 120h
68 FF 01 0F 00 push 0F01FFh
FF 75 0C push [ebp+arg_4]
FF 75 08 push [ebp+arg_0]
// some variants have the next line as a push {reg} or push {stack var}
53 push ebx
//or
FF 75 FC push [ebp+var_4]
FF 15 E4 49 40 00 call CreateServiceA
*/
$a = {FF 15 [4] 83 C4 18 8D [5] 5? 5? 5? 5? 5? 5? 6A 01 [0-2] 6A 02 68 20 01 00 00 68 FF 01 0F 00 FF 75 ?? FF 75 ?? (5? | FF 75 ??) FF 15}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}