1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import "pe"
rule RomeoHotel
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source_64 = "440cb3f6dd07e2f9e3d3614fd23d3863ecfc08b463b0b327eedf08504f838c90"
Source_diskSpace = "1b1496f8f35d32a93c7f16ebff6e9b560a158cc6fce061491f91bc9f43ef5be4"
strings:
/*
E8 D3 C7 00 00 call rand
44 8B ED mov r13d, ebp
44 8B E0 mov r12d, eax
B8 1F 85 EB 51 mov eax, 51EB851Fh
48 8B FD mov rdi, rbp
41 F7 EC imul r12d
C1 FA 05 sar edx, 5
8B CA mov ecx, edx
C1 E9 1F shr ecx, 1Fh
03 D1 add edx, ecx
6B D2 64 imul edx, 64h
44 2B E2 sub r12d, edx
41 83 C4 3C add r12d, 3Ch
*/
$randBuff64 = {E8 [4] 44 [2] 44 [2] B? 1F 85 EB 51 48 [2] 41 [2] C1 ?? 05 8B ?? C1 ?? 1F 03 ?? 6B ?? 64 44 [2] 41 [2] 3C}
/*
FF 15 40 70 01 10 call ds:GetDiskFreeSpaceExA
85 C0 test eax, eax
74 34 jz short loc_10005072
8B 84 24 20 01 00 00 mov eax, [esp+11Ch+arg_0]
6A 00 push 0
99 cdq
68 00 00 10 00 push 100000h
52 push edx
50 push eax
E8 4C 7C 00 00 call __allmul
*/
$diskSpace = {FF 15 [4] 85 C0 74 ?? 8B [6] 6A 00 99 68 00 00 10 00 5? 5? E8}
$winst = "winsta0\\default" wide // this limits the overlap with RomeoGolf
condition:
$randBuff64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or ($diskSpace in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
and $winst)
}