Sneed-Reactivity/yara-mikesxrs/Novetta/IndiaGolf.yara

43 lines
1 KiB
Text
Raw Normal View History

import "pe"
rule IndiaGolf
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50"
strings:
/*
FF D6 call esi ; rand
8B F8 mov edi, eax
C1 E7 10 shl edi, 10h
FF D6 call esi ; rand
03 F8 add edi, eax
89 7C 24 20 mov [esp+2A90h+var_2A70], edi
FF D6 call esi ; rand
8B F8 mov edi, eax
C1 E7 10 shl edi, 10h
FF D6 call esi ; rand
03 F8 add edi, eax
89 7C 24 24 mov [esp+2A90h+var_2A6C], edi
*/
$generateRandomID = {
FF ??
8B ??
C1 ?? 10
FF ??
03 F8
89 [3]
FF ??
8B ??
C1 ?? 10
FF ??
03 ??
89
}
condition:
$generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}