43 lines
1 KiB
Text
43 lines
1 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule IndiaGolf
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
FF D6 call esi ; rand
|
||
|
8B F8 mov edi, eax
|
||
|
C1 E7 10 shl edi, 10h
|
||
|
FF D6 call esi ; rand
|
||
|
03 F8 add edi, eax
|
||
|
89 7C 24 20 mov [esp+2A90h+var_2A70], edi
|
||
|
FF D6 call esi ; rand
|
||
|
8B F8 mov edi, eax
|
||
|
C1 E7 10 shl edi, 10h
|
||
|
FF D6 call esi ; rand
|
||
|
03 F8 add edi, eax
|
||
|
89 7C 24 24 mov [esp+2A90h+var_2A6C], edi
|
||
|
*/
|
||
|
|
||
|
$generateRandomID = {
|
||
|
FF ??
|
||
|
8B ??
|
||
|
C1 ?? 10
|
||
|
FF ??
|
||
|
03 F8
|
||
|
89 [3]
|
||
|
FF ??
|
||
|
8B ??
|
||
|
C1 ?? 10
|
||
|
FF ??
|
||
|
03 ??
|
||
|
89
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|