Skip to content

R
rules
Commit 721ad18a by mmorenog
Options

Update IndiaWhiskey.yara

parent 0e0ae573
Showing with 1 additions and 20 deletions
malware/Operation_Blockbuster/IndiaWhiskey.yara
...@@ -39,26 +39,7 @@ rule IndiaWhiskey ...@@ -39,26 +39,7 @@ rule IndiaWhiskey
FF 15 E4 49 40 00 call CreateServiceA FF 15 E4 49 40 00 call CreateServiceA
*/ */
$a = { $a = {FF 15 [4] 83 C4 18 8D [5] 5? 5? 5? 5? 5? 5? 6A 01 [0-2] 6A 02 68 20 01 00 00 68 FF 01 0F 00 FF 75 ?? FF 75 ?? (5? | FF 75 ??) FF 15}
FF 15 [4]
83 C4 18
8D [5]
5?
5?
5?
5?
5?
5?
6A 01
[0-2]
6A 02
68 20 01 00 00
68 FF 01 0F 00
FF 75 ??
FF 75 ??
(5? | FF 75 ??)
FF 15
}
condition: condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment