38 lines
1.1 KiB
Text
38 lines
1.1 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule IndiaDelta
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
FF 15 DC 2D 41 00 call ReadFile_0
|
||
|
8B 44 24 20 mov eax, [esp+25Ch+offsetInFile]
|
||
|
8B 54 24 1C mov edx, [esp+25Ch+dwEmbedCnt]
|
||
|
35 78 56 34 12 xor eax, 12345678h
|
||
|
55 push ebp
|
||
|
55 push ebp
|
||
|
81 F2 78 56 34 12 xor edx, 12345678h
|
||
|
50 push eax
|
||
|
57 push edi
|
||
|
89 54 24 2C mov [esp+26Ch+dwEmbedCnt], edx
|
||
|
89 44 24 30 mov [esp+26Ch+offsetInFile], eax
|
||
|
FF 15 E0 2D 41 00 call SetFilePointer_0
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
FF 15 [4-12]
|
||
|
3? 78 56 34 12
|
||
|
[0-2]
|
||
|
8? ?? 78 56 34 12
|
||
|
[0-10]
|
||
|
FF 15
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|