Update RomeoCharlie.yara

334e114a · mmorenog · c411c30e · 334e114a
Commit 334e114a authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 32 deletions

RomeoCharlie.yara malware/Operation_Blockbuster/RomeoCharlie.yara +2 -32

No files found.
--- a/malware/Operation_Blockbuster/RomeoCharlie.yara
+++ b/malware/Operation_Blockbuster/RomeoCharlie.yara
@@ -32,26 +32,7 @@ rule RomeoCharlie
 		C1 E7 10           shl     edi, 10h
 	*/

-	$startupRelayThreads = {
-			81 ?? FF FF 00 00 
-			8B ?? 
-			5? 
-			C1 ?? 10 
-			81 ?? FF FF 00 00 
-			8B ?? 
-			8B ?? 
-			81 ?? FF FF 00 00 
-			C1 ?? 10 
-			6A 00 
-			0B ?? 
-			6A 00 
-			50 
-			68 [4] 
-			6A 00 
-			6A 00 
-			FF 15 [4] 
-			C1 ?? 10 
-		}
+	$startupRelayThreads = {81 ?? FF FF 00 00 8B ?? 5? C1 ?? 10 81 ?? FF FF 00 00 8B ?? 8B ?? 81 ?? FF FF 00 00 C1 ?? 10 6A 00 0B ?? 6A 00 	50 68 [4] 6A 00 6A 00 FF 15 [4] C1 ?? 10 }

 	/*
 	source: 641808833ad34f2e5143001c8147d779dbfd2a80a80ce0cfc81474d422882adb
@@ -67,18 +48,7 @@ rule RomeoCharlie
 		83 F9 01           cmp     ecx, 1
 	*/

-	$crypto = {
-			2? 00 20 00 00 
-			3? 00 20 00 00 
-			0F [2] 
-			81 ?? 80 00 00 00 
-			33 ?? 
-			80 ?? 80 
-			0F [2] 
-			03 ?? 
-			33 ?? 
-			83 ?? 01 
-		}
+	$crypto = {2? 00 20 00 00 3? 00 20 00 00 0F [2] 81 ?? 80 00 00 00 33 ?? 80 ?? 80 0F [2] 03 ?? 33 ?? 83 ?? 01 }

 	condition:
 		all of ($auth*)