Update IndiaEcho.yara

04b9bb37 · mmorenog · 8da4b62b · 04b9bb37
Commit 04b9bb37 authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 20 deletions

IndiaEcho.yara malware/Operation_Blockbuster/IndiaEcho.yara +1 -20

No files found.
--- a/malware/Operation_Blockbuster/IndiaEcho.yara
+++ b/malware/Operation_Blockbuster/IndiaEcho.yara
@@ -28,26 +28,7 @@ rule IndiaEcho
 		81 C7 08 01 00 00  add     edi, 108h
 	*/

-	$a = {
-			69 ?? 28 01 00 00 
-			5? 
-			5? 
-			FF B5 [4] 
-			E8 [4] 
-			8B [5] 
-			69 ?? 28 01 00 00 
-			50 
-			8B [5] 
-			(05 08 01 00 00 | 03 ??)
-			50 
-			FF [5]
-			E8 [4] 
-			83 C4 ?? 
-			8B [5]
-			69 ?? 28 01 00 00 
-			(81 C7 08 01 00 00 | 03 ??)
-
-		}
+	$a = {69 ?? 28 01 00 00 5? 5? FF B5 [4] E8 [4] 8B [5] 69 ?? 28 01 00 00	50 8B [5] (05 08 01 00 00 | 03 ??) 50 FF [5] E8 [4] 83 C4 ?? 8B [5] 69 ?? 28 01 00 00 (81 C7 08 01 00 00 | 03 ??)}

 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))