Update sharedcode.yara

malware/Operation_Blockbuster/sharedcode.yara

@@ -26,22 +26,7 @@ rule Caracachs: sharedcode
 		89 3E              mov     [esi], edi      ; pLastValue = (((val >> 16) & 0x7FFF) + lastValue) >> ((16 - ((val >> 16) & 0x7FFF) + lastValue) & 0xF) | (((val >> 16) & 0x7FFF) + lastValue) << ((((val >> 16) & 0x7FFF) + lastValue) & 0xF)
 	*/
 
-	$a = {
-			B? 10 00 00 00 
-			8B ?? 
-			C1 ?? 10 
-			81 ?? FF 7F 00 00 
-			03 ?? 
-			8B ?? 
-			8B ?? 
-			83 ?? 0F 
-			2B ?? 
-			D3 ?? 
-			8B ?? 
-			D3 ?? 
-			0B ?? 
-			89 ?? 
-		}
+	$a = {B? 10 00 00 00 8B ?? C1 ?? 10 81 ?? FF 7F 00 00 03 ?? 8B ?? 8B ?? 83 ?? 0F 2B ?? D3 ?? 8B ?? D3 ?? 0B ?? 	89 ?? 	}
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -69,18 +54,7 @@ rule StringDotSimplified: sharedcode
 		46        inc     esi
 	*/
 
-	$a = {
-			F3 AB 
-			80 ?? 00 
-			74 ?? 
-			8A 02 
-			3C 2E 
-			74 ?? 
-			3C 20 
-			74 ?? 
-			88 06 
-			46 
-		}
+	$a = {	F3 AB 	80 ?? 00 	74 ?? 	8A 02 	3C 2E 	74 ?? 	3C 20 	74 ?? 	88 06 	46 }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -110,21 +84,7 @@ rule FakeTLS_ServerHelloGetSelectedCipher: sharedcode
 		53              push    ebx             ; hostshort
 	*/
 
-	$a = {
-			24 10 
-			0C 10 
-			89 ?? 
-			66 8? [3]
-			66 3? 00 C0 
-			73 ?? 
-			66 2? 35 00 
-			66 F7 ?? 
-			1B ?? 
-			2? 80 
-			0? 00 01 00 00 
-			8B ?? 
-			5? 
-		}
+	$a = {	24 10 	0C 10 	89 ?? 	66 8? [3] 66 3? 00 C0 73 ?? 66 2? 35 00 66 F7 ?? 1B ?? 	2? 80 0? 00 01 00 00 8B ?? 5? }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -153,20 +113,7 @@ rule XORDecodeA7: sharedcode
 		3B F1     cmp     esi, ecx
 	*/
 
-	$a = {
-			8A [2] 
-			8B ??
-			34 A7 
-			46 
-			88 ?? 
-			83 ?? FF 
-			33 ?? 
-			4? 
-			F2 AE 
-			F7 ?? 
-			4? 
-			3B ?? 
-		}
+	$a = {	8A [2] 	8B ??	34 A7 	46 88 ?? 83 ?? FF 33 ?? 4? F2 AE F7 ?? 	4? 3B ?? }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -205,29 +152,7 @@ rule DynamicAPILoading: sharedcode
 		E8 49 FF FF FF     call    CleanupString
 	*/
 
-	$a = {
-			83 C4 ?? 
-			5? 
-			5? 
-			FF 15 [4]
-			68 [4]
-			A3 [4]
-			E8 [4]
-			83 C4 ?? 
-			5? 
-			5? 
-			FF 15 [4]
-			68 [4]
-			A3 [4]
-			E8 [4]
-			83 C4 ?? 
-			5? 
-			5? 
-			FF 15 [4]
-			68 [4]
-			A3 [4]
-			E8
-		}
+	$a = {	83 C4 ?? 5? 5? 	FF 15 [4] 68 [4] A3 [4]	E8 [4]	83 C4 ?? 5? 5? 	FF 15 [4] 68 [4] A3 [4]	E8 [4] 83 C4 ?? 5?  5? 	FF 15 [4] 68 [4] A3 [4]	E8}
 
 
 	condition:
@@ -253,15 +178,7 @@ rule DNSCalcStyleEncodeAndDecode: sharedcode
 		75 F2     jnz     short loc_1000403C
 	*/
 
-	$a = {
-			8A ?? 
-			80 ?? ?? 
-			80 ?? ?? 
-			88 ?? 
-			4? 
-			4? 
-			75 ?? 
-		}
+	$a = {8A ?? 80 ?? ?? 80 ?? ?? 88 ?? 4? 4? 75 ?? }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -283,13 +200,7 @@ rule GenerateTLSClientHelloPacket_Test: sharedcode
 		40              inc     eax
 	*/
 
-	$a = {
-			25 07 00 00 80 
-			79 ?? 
-			4? 
-			83 ?? F8 
-			4? 
-		}
+	$a = {25 07 00 00 80 79 ?? 4? 	83 ?? F8 4? }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -313,15 +224,7 @@ rule RC4SboxKeyGen: sharedcode
 		42                 inc     edx
 	*/
 
-	$a = {
-			8A [3] 
-			8B ?? 
-			81 ?? 0F 00 00 80 
-			79 ?? 
-			4? 
-			83 ?? F0 
-			4? 
-		}
+	$a = {	8A [3] 	8B ?? 	81 ?? 0F 00 00 80 79 ?? 4? 83 ?? F0 4? 	}
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -368,37 +271,7 @@ rule RandomTimestampGenerator: sharedcode
 		F7 F9                 idiv    ecx
 	*/
 
-	$a = {
-			66 81 [3] FE FF 
-			FF [1-4] 
-			99 
-			B9 0C 00 00 00 
-			F7 [1-4] 
-			42 
-			66 89 [3]  
-			FF D6 
-			99 
-			B9 1C 00 00 00 
-			F7 [1-4] 
-			42 
-			66 89 [3] 
-			FF D6 
-			99 
-			B9 17 00 00 00 
-			F7 [1-4] 
-			42 
-			66 89 [3] 
-			FF D6 
-			99 
-			B9 3B 00 00 00 
-			F7 [1-4] 
-			42 
-			66 89 [3] 
-			FF D6 
-			99 
-			B9 3B 00 00 00 
-			F7 
-		}
+	$a = {	66 81 [3] FE FF FF [1-4] 99 B9 0C 00 00 00 F7 [1-4] 42 	66 89 [3]  FF D6 99 B9 1C 00 00 00 F7 [1-4] 42 	66 89 [3] FF D6 99 B9 17 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 B9 3B 00 00 00 F7 [1-4] 42 66 89 [3] FF D6 99 	B9 3B 00 00 00 	F7 }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
@@ -432,25 +305,7 @@ rule CPUInfoExtraction
 		8B 51 04           mov     edx, [ecx+4]
 	*/
 
-	$a = {
-			68 00 00 00 80 
-			8B ?? 
-			8B ?? 04 
-			89 [3] 
-			8B ?? 08 
-			89 [3] 
-			8B ?? 0C 
-			8D [3] 
-			89 [5] 
-			5? 
-			8B ?? 
-			89 [5]
-			E8 [4]
-			8B ?? 
-			8B ?? 
-			3D 00 00 00 80 
-			8B ?? 04 
-		}
+	$a = {68 00 00 00 80 8B ?? 8B ?? 04 89 [3] 8B ?? 08 89 [3] 8B ?? 0C 8D [3] 89 [5] 5? 8B ?? 89 [5] E8 [4] 8B ?? 8B ?? 	3D 00 00 00 80 8B ?? 04 }
 
 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))