Update RomeoHotel.yara

514687d3 · mmorenog · 10746121 · 514687d3
Commit 514687d3 authored Feb 25, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 8 deletions

RomeoHotel.yara malware/Operation_Blockbuster/RomeoHotel.yara +4 -8

No files found.
--- a/malware/Operation_Blockbuster/RomeoHotel.yara
+++ b/malware/Operation_Blockbuster/RomeoHotel.yara
@@ -25,8 +25,7 @@ rule RomeoHotel
 		41 83 C4 3C     add     r12d, 3Ch
 	*/
-	$randBuff64 = {
+	$randBuff64 = {	E8 [4]
-			E8 [4]
 			44 [2]
 			44 [2] 
 			B? 1F 85 EB 51 
@@ -38,8 +37,7 @@ rule RomeoHotel
 			03 ?? 
 			6B ?? 64 
 			44 [2] 
-			41 [2] 3C 
+			41 [2] 3C}
-		}
 	/*
 		FF 15 40 70 01 10     call    ds:GetDiskFreeSpaceExA
@@ -54,8 +52,7 @@ rule RomeoHotel
 		E8 4C 7C 00 00        call    __allmul
 	*/
-	$diskSpace = {
+	$diskSpace = { FF 15 [4]
-			FF 15 [4]
 			85 C0 
 			74 ??
 			8B [6]
@@ -64,8 +61,7 @@ rule RomeoHotel
 			68 00 00 10 00 
 			5? 
 			5? 
-			E8
+			E8}
-		}
 	$winst = "winsta0\\default" wide		// this limits the overlap with RomeoGolf