Skip to content

R
rules
Commit d379f5cf by mmorenog
Options

Update UniformAlfa.yara

parent 8901cefa
Showing with 1 additions and 11 deletions
malware/Operation_Blockbuster/UniformAlfa.yara
...@@ -20,17 +20,7 @@ rule UniformAlfa ...@@ -20,17 +20,7 @@ rule UniformAlfa
FF 15 08 70 40 00 call ds:DeleteService FF 15 08 70 40 00 call ds:DeleteService
*/ */
$stopDeleteService = { $stopDeleteService = {8D [3] 5? 6A 01 5? FF D? 83 [3] 01 75 ?? 5? FF 15}
8D [3]
5?
6A 01
5?
FF D?
83 [3] 01
75 ??
5?
FF 15
}
condition: condition:
$stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $stopDeleteService in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment