Update RomeoAlfa.yara

c411c30e · mmorenog · 721ad18a · c411c30e
Commit c411c30e authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 24 deletions

RomeoAlfa.yara malware/Operation_Blockbuster/RomeoAlfa.yara +2 -24

No files found.
--- a/malware/Operation_Blockbuster/RomeoAlfa.yara
+++ b/malware/Operation_Blockbuster/RomeoAlfa.yara
@@ -18,15 +18,7 @@ rule RomeoAlfa
 		7C E7              jl      short loc_4039DA
 	*/

-	$zeroIPLoader = {
-			68 [4] 
-			56 
-			E8 [4] 
-			83 C6 28 
-			83 C4 08 
-			81 FE [4] 
-			7C E? 
-		}
+	$zeroIPLoader = {68 [4] 56 E8 [4] 83 C6 28 83 C4 08 81 FE [4] 7C E?}
 		


@@ -43,21 +35,7 @@ rule RomeoAlfa
 		// pop     edi                              
 		// pop     esi                              
 		// retn                                     
-		$sleeper  = {
-				5? 
-				8B [3]                       
-				85 ??                        
-				7E ??                        
-				5? 
-				8B 3D [4]                    
-				68 [4]               
-				FF ??                        
-				4? 
-				75 ??                        
-				5? 
-				5? 
-				C3                           
-			}
+		$sleeper  = {5? 8B [3] 85 ?? 7E ?? 5? 8B 3D [4]  68 [4] FF ??  4? 75 ??	5? 5? C3 }
 			
 		$xercesc = "xercesc"