40 lines
1 KiB
Text
40 lines
1 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule LimaAlfa
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "c9fbad7fc7ff7688776056be3a41714a1f91458a7b16c37c3c906d17daac2c8b"
|
||
|
Status = "Signature is too loose to be useful."
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
33 C0 xor eax, eax
|
||
|
66 8B 02 mov ax, [edx]
|
||
|
8B E8 mov ebp, eax
|
||
|
81 E5 00 F0 FF FF and ebp, 0FFFFF000h
|
||
|
81 FD 00 30 00 00 cmp ebp, 3000h
|
||
|
75 0D jnz short loc_4019FB
|
||
|
8B 6C 24 18 mov ebp, [esp+10h+arg_4]
|
||
|
25 FF 0F 00 00 and eax, 0FFFh
|
||
|
03 C7 add eax, edi
|
||
|
01 28 add [eax], ebp
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
33 C0
|
||
|
66 [2]
|
||
|
8B ??
|
||
|
81 ?? 00 F0 FF FF
|
||
|
81 ?? 00 30 00 00
|
||
|
75 ??
|
||
|
8B [3]
|
||
|
25 FF 0F 00 00
|
||
|
03 C7
|
||
|
01
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|