Update WhiskeyBravo.yara

fb343d57 · mmorenog · 74aaa299 · fb343d57
Commit fb343d57 authored Feb 25, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletions

WhiskeyBravo.yara malware/Operation_Blockbuster/WhiskeyBravo.yara +4 -1

No files found.
--- a/malware/Operation_Blockbuster/WhiskeyBravo.yara
+++ b/malware/Operation_Blockbuster/WhiskeyBravo.yara
+/*
+
 import "pe"

 rule WhiskeyBravo
@@ -38,7 +40,7 @@ rule WhiskeyBravo
 		FF D7              call    edi ; _wcsnicmp
 	*/

-	$a = {68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 [4] [0-2] 68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84[4] [0-2] 68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 }
+	$a = {68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 [4] [0-2] 68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 [4] [0-2] 68 [4] 5? (FF D? | E8 [4]) 83 C4 (08 | 0C) 85 C0 0F 84 }

 	$ext1 = ".wpd" wide nocase
 	$ext2 = ".doc" wide nocase
@@ -47,3 +49,4 @@ rule WhiskeyBravo
 	condition:
 		2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
 }
+*/