Skip to content

R
rules
Commit b38affd8 by mmorenog
Options

Update WhiskeyBravo.yara

parent accd13fd
Showing with 2 additions and 26 deletions
malware/Operation_Blockbuster/WhiskeyBravo.yara
......@@ -38,30 +38,7 @@ rule WhiskeyBravo
FF D7 call edi ; _wcsnicmp
*/
$a = {
68 [4]
5?
(FF D? | E8 [4])
83 C4 (08 | 0C)
85 C0
0F 84 [4]
[0-2]
68 [4]
5?
(FF D? | E8 [4])
83 C4 (08 | 0C)
85 C0
0F 84 [4]
[0-2]
68 [4]
5?
(FF D? | E8 [4])
83 C4 (08 | 0C)
85 C0
0F 84
}
$a = {68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 [4] [0-2] 68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 [4] [0-2] 68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 }
$ext1 = ".wpd" wide nocase
$ext2 = ".doc" wide nocase
......@@ -69,4 +46,4 @@ rule WhiskeyBravo
condition:
2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}
\ No newline at end of file
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment