Skip to content

R
rules
Commit e87594b3 by mmorenog
Options

Update RomeoGolf.yara

parent 1784eac1
Showing with 1 additions and 2 deletions
malware/Operation_Blockbuster/RomeoGolf.yara
...@@ -25,8 +25,7 @@ rule RomeoGolf ...@@ -25,8 +25,7 @@ rule RomeoGolf
01 46 08 add [esi+8], eax 01 46 08 add [esi+8], eax
*/ */
$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] } $idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] }
condition: condition:
$idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment