Sneed-Reactivity/yara-mikesxrs/Novetta/LimaCharlie.yara

65 lines
1.8 KiB
Text
Raw Normal View History

import "pe"
rule LimaCharlie
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source_x86 = "6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7"
Source_x64 = "90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8"
strings:
$misspelling = "Defualt Sleep = %d" wide
/*
FF 76 74 push dword ptr [esi+74h]
59 pop ecx
50 push eax
8F 86 48 01 00 00 pop dword ptr [esi+148h]
85 C0 test eax, eax
51 push ecx
8F 86 44 01 00 00 pop dword ptr [esi+144h]
75 3D jnz short loc_100035F3
F6 46 56 01 test byte ptr [esi+56h], 1
74 0A jz short loc_100035C6
*/
$x86 = {
FF ?? 74
5?
5?
8F ?? 48 01 00 00
85 C0
5?
8F ?? 44 01 00 00
75 ??
F6 [2] 01
74
}
/*
48 8B 4B 70 mov rcx, [rbx+70h]
48 89 8B 60 01 00 00 mov [rbx+160h], rcx
48 89 83 68 01 00 00 mov [rbx+168h], rax
48 85 C0 test rax, rax
75 35 jnz short loc_180002372
F6 43 56 01 test byte ptr [rbx+56h], 1
74 07 jz short loc_18000234A
*/
$x64 = {
48 [2] 70
48 [2] 60 01 00 00
48 [2] 68 01 00 00
48 85 C0
75 ??
F6 [2] 01
74
}
condition:
$x86 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $x64 in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
or $misspelling
}