Update RomeoBravo.yara

f87b4264 · mmorenog · f8cc4e9a · f87b4264
Commit f87b4264 authored Feb 25, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 1 additions and 21 deletions

RomeoBravo.yara malware/Operation_Blockbuster/RomeoBravo.yara +1 -21

No files found.
--- a/malware/Operation_Blockbuster/RomeoBravo.yara
+++ b/malware/Operation_Blockbuster/RomeoBravo.yara
@@ -30,27 +30,7 @@ rule RomeoBravo
 		B8 02 00 00 00  mov     eax, 2
 	*/

-	$a = {
-			E8 [4] 
-			83 C4 10 
-			85 C0 
-			74 ?? 
-			B? 02 00 00 00 
-			5? 
-			83 C4 18 
-			C3 
-			6A 78 
-			6A 01 
-			8D [3]
-			6A 0C 
-			5? 
-			5? 
-			E8 [4]
-			83 C4 14 
-			85 C0 
-			74 ?? 
-			B8 02 00 00 00 
-		}
+	$a = {E8 [4] 83 C4 10 85 C0 74 ?? B? 02 00 00 00 5? 83 C4 18 C3 6A 78 6A 01 8D [3] 6A 0C 5? 5? E8 [4] 83 C4 14 85 C0 74 ?? B8 02 00 00 00}

 	condition:
 		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))