Sneed-Reactivity/yara-mikesxrs/Novetta/HotelAlfa.yara

36 lines
806 B
Text
Raw Normal View History

import "pe"
rule HotelAlfa
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "58dab205ecb1e0972027eb92f68cec6d208e5ab5.ex_"
strings:
$resourceHTML = "RSRC_HTML"
/*
8A 0C 18 mov cl, [eax+ebx]
80 F1 63 xor cl, 63h
88 0C 18 mov [eax+ebx], cl
8B 4D 00 mov ecx, [ebp+0]
40 inc eax
3B C1 cmp eax, ecx
72 EF jb short loc_4010B4
*/
$rscsDecoderLoop = {
8A [2]
80 F1 ??
88 [2]
8B [2]
40
3B ??
72 EF
}
condition:
$resourceHTML and $rscsDecoderLoop in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}