Update SierraBravo.yara

b5c2bd95 · mmorenog · 795f782c · b5c2bd95
Commit b5c2bd95 authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 8 deletions

SierraBravo.yara malware/Operation_Blockbuster/SierraBravo.yara +1 -8

No files found.
--- a/malware/Operation_Blockbuster/SierraBravo.yara
+++ b/malware/Operation_Blockbuster/SierraBravo.yara
@@ -83,14 +83,7 @@ rule SierraBravo_One
 			.text:00402A84                 mov     [esp+24Ch+timeout.tv_sec], 3
 			.text:00402A8C                 mov     [esp+24Ch+timeout.tv_usec], 0			
 		*/
-		$spreaderSetup = {68 7E 66 04 80 
-											5? 
-											E8 [4] 
-											6A 32 
-											89 B4 [5]
-											C7 84 [5] 01 00 00 00 
-											C7 44 [2] 03 00 00 00 
-											C7 44 [2] 00 00 00 00 }
+		$spreaderSetup = {68 7E 66 04 80 5? E8 [4] 6A 32 89 B4 [5] C7 84 [5] 01 00 00 00 C7 44 [2] 03 00 00 00 C7 44 [2] 00 00 00 00 }

 	condition:
 		$spreaderSetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))