Skip to content

R
rules
Commit bba6b142 by mmorenog
Options

Update IndiaDelta.yara

parent 2551753b
Showing with 3 additions and 4 deletions
malware/Operation_Blockbuster/IndiaDelta.yara
...@@ -23,15 +23,15 @@ rule IndiaDelta ...@@ -23,15 +23,15 @@ rule IndiaDelta
FF 15 E0 2D 41 00 call SetFilePointer_0 FF 15 E0 2D 41 00 call SetFilePointer_0
*/ */
$a = { $a = {
FF 15 [4-12] FF 15 [4-12]
3? 78 56 34 12 3? 78 56 34 12
[0-2] [0-2]
8? ?? 78 56 34 12 8? ?? 78 56 34 12
[0-10] [0-10]
FF 15 FF 15
} }
condition: condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
} }
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment