Update WhiskeyAlfa.yara

19fc17cc · mmorenog · f87b4264 · 19fc17cc
Commit 19fc17cc authored Feb 25, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 22 deletions

WhiskeyAlfa.yara malware/Operation_Blockbuster/WhiskeyAlfa.yara +2 -22

No files found.
--- a/malware/Operation_Blockbuster/WhiskeyAlfa.yara
+++ b/malware/Operation_Blockbuster/WhiskeyAlfa.yara
@@ -18,15 +18,7 @@ rule WhiskeyAlfa
 		7C EA              jl      short loc_402E8D
 	*/

-	$randomBuffer = {
-			E8 [4] 
-			B1 ?? 
-			F6 E9 
-			88 [3] 
-			4? 
-			81 ?? 00 00 01 00 
-			7C  
-		}
+	$randomBuffer = {E8 [4] B1 ?? F6 E9 88 [3] 4? 81 ?? 00 00 01 00 7C}

 	/*
 		89 58 09              mov     [eax+9], ebx
@@ -41,19 +33,7 @@ rule WhiskeyAlfa
 		89 58 19              mov     [eax+19h], ebx
 		B8 01 00 00 00        mov     eax, 1
 	*/
-	$mbrDiskInfo = {
-			89 ?? 09 
-			C7 ?? 65 00 00 02 00 
-			C7 ?? 15 04 00 00 00 
-			C6 ?? 08 08 
-			C7 ?? 04 00 02 00 00 
-			89 ?? 
-			89 ?? 0D
-			C7 ?? 11 01 00 00 00 
-			89 ?? 69 
-			89 ?? 19 
-			B8 01 00 00 00 
-		}
+	$mbrDiskInfo = {89 ?? 09 C7 ?? 65 00 00 02 00 C7 ?? 15 04 00 00 00 C6 ?? 08 08 C7 ?? 04 00 02 00 00 89 ?? 89 ?? 0D C7 ?? 11 01 00 00 00 89 ?? 69 89 ?? 19 B8 01 00 00 00}
 		

 		// the replacement MBRs in both encoded (XOR 0x53) and decoded form