Sneed-Reactivity/yara-mikesxrs/Novetta/IndiaDelta.yara

38 lines
1.1 KiB
Text
Raw Normal View History

import "pe"
rule IndiaDelta
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "d7b50b1546653bff68220996190446bdc7fc4e38373715b8848d1fb44fe3f53c"
strings:
/*
FF 15 DC 2D 41 00 call ReadFile_0
8B 44 24 20 mov eax, [esp+25Ch+offsetInFile]
8B 54 24 1C mov edx, [esp+25Ch+dwEmbedCnt]
35 78 56 34 12 xor eax, 12345678h
55 push ebp
55 push ebp
81 F2 78 56 34 12 xor edx, 12345678h
50 push eax
57 push edi
89 54 24 2C mov [esp+26Ch+dwEmbedCnt], edx
89 44 24 30 mov [esp+26Ch+offsetInFile], eax
FF 15 E0 2D 41 00 call SetFilePointer_0
*/
$a = {
FF 15 [4-12]
3? 78 56 34 12
[0-2]
8? ?? 78 56 34 12
[0-10]
FF 15
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}