Update LimaCharlie.yara

3a706786 · mmorenog · d379f5cf · 3a706786
Commit 3a706786 authored Feb 25, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 21 deletions

LimaCharlie.yara malware/Operation_Blockbuster/LimaCharlie.yara +2 -21

No files found.
--- a/malware/Operation_Blockbuster/LimaCharlie.yara
+++ b/malware/Operation_Blockbuster/LimaCharlie.yara
@@ -24,18 +24,7 @@ rule LimaCharlie
 		74 0A              jz      short loc_100035C6
 	*/

-	$x86 = {
-			FF ?? 74 
-			5? 
-			5? 
-			8F ?? 48 01 00 00 
-			85 C0 
-			5? 
-			8F ?? 44 01 00 00 
-			75 ?? 
-			F6 [2] 01 
-			74 
-		}
+	$x86 = {FF ?? 74 5? 5? 8F ?? 48 01 00 00 85 C0 5? 8F ?? 44 01 00 00 75 ?? F6 [2] 01 74}

 	/*
 		48 8B 4B 70           mov     rcx, [rbx+70h]
@@ -47,15 +36,7 @@ rule LimaCharlie
 		74 07                 jz      short loc_18000234A
 	*/

-	$x64 = {
-			48 [2] 70 
-			48 [2] 60 01 00 00 
-			48 [2] 68 01 00 00 
-			48 85 C0 
-			75 ?? 
-			F6 [2] 01 
-			74 
-		}
+	$x64 = {48 [2] 70 48 [2] 60 01 00 00 48 [2] 68 01 00 00 48 85 C0 75 ?? F6 [2] 01 74}
 		
 	condition:
 		$x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))