Update RomeoWhiskey.yara

795f782c · mmorenog · 64deb08a · 795f782c
Commit 795f782c authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 24 deletions

RomeoWhiskey.yara malware/Operation_Blockbuster/RomeoWhiskey.yara +2 -24

No files found.
--- a/malware/Operation_Blockbuster/RomeoWhiskey.yara
+++ b/malware/Operation_Blockbuster/RomeoWhiskey.yara
@@ -30,19 +30,7 @@ rule RomeoWhiskey_Two
 		0B C8              or      ecx, eax
 	*/
-	$a = {
+	$a = {FF 15 [4] 66 8B C8 [3-4] 	66 81 F1 40 1C 	66 D1 E9 81 C1 E0 56 00 00 0F B7 C9 0F B7 C0 81 F1 30 32 00 00 	C1 E0 10 0B C8 }
-			FF 15 [4] 
-			66 8B C8 
-			[3-4] 
-			66 81 F1 40 1C 
-			66 D1 E9 
-			81 C1 E0 56 00 00 
-			0F B7 C9 
-			0F B7 C0 
-			81 F1 30 32 00 00 
-			C1 E0 10 
-			0B C8 
-		}
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -70,17 +58,7 @@ rule RomeoWhiskey_One
 		0B C8              or      ecx, eax
 	*/
-	$a = {
+	$a = {	FF 15 [4]  0F B7 C0 8B C8 [2-4] C1 E9 ?? 81 F1 [2] 00 00 [0-2] 	C1 E0 10 0B C8 	}
-			FF 15 [4]  
-			0F B7 C0
-			8B C8
-			[2-4] 
-			C1 E9 ?? 
-			81 F1 [2] 00 00 
-			[0-2] 
-			C1 E0 10 
-			0B C8 
-		}
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))