87 lines
2.3 KiB
Text
87 lines
2.3 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule RomeoCharlie
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "a82108ef7115931b3fbe1fab99448c4139e22feda27c1b1d29325710671154e8"
|
||
|
|
||
|
strings:
|
||
|
$auth1 = "Success - Accept Auth"
|
||
|
$auth2 = "Fail - Accept Auth"
|
||
|
|
||
|
/*
|
||
|
81 E3 FF FF 00 00 and ebx, 0FFFFh
|
||
|
8B EB mov ebp, ebx
|
||
|
57 push edi
|
||
|
C1 EE 10 shr esi, 10h
|
||
|
81 E5 FF FF 00 00 and ebp, 0FFFFh
|
||
|
8B FE mov edi, esi
|
||
|
8B C5 mov eax, ebp
|
||
|
81 E7 FF FF 00 00 and edi, 0FFFFh
|
||
|
C1 E0 10 shl eax, 10h
|
||
|
6A 00 push 0 ; _DWORD
|
||
|
0B C7 or eax, edi
|
||
|
6A 00 push 0 ; _DWORD
|
||
|
50 push eax ; _DWORD
|
||
|
68 10 14 11 71 push offset sub_71111410; _DWORD
|
||
|
6A 00 push 0 ; _DWORD
|
||
|
6A 00 push 0 ; _DWORD
|
||
|
FF 15 5C 8E 12 71 call CreateThread_0
|
||
|
C1 E7 10 shl edi, 10h
|
||
|
*/
|
||
|
|
||
|
$startupRelayThreads = {
|
||
|
81 ?? FF FF 00 00
|
||
|
8B ??
|
||
|
5?
|
||
|
C1 ?? 10
|
||
|
81 ?? FF FF 00 00
|
||
|
8B ??
|
||
|
8B ??
|
||
|
81 ?? FF FF 00 00
|
||
|
C1 ?? 10
|
||
|
6A 00
|
||
|
0B ??
|
||
|
6A 00
|
||
|
50
|
||
|
68 [4]
|
||
|
6A 00
|
||
|
6A 00
|
||
|
FF 15 [4]
|
||
|
C1 ?? 10
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
source: 641808833ad34f2e5143001c8147d779dbfd2a80a80ce0cfc81474d422882adb
|
||
|
25 00 20 00 00 and eax, 2000h
|
||
|
3D 00 20 00 00 cmp eax, 2000h
|
||
|
0F 94 C1 setz cl
|
||
|
81 E2 80 00 00 00 and edx, 80h
|
||
|
33 C0 xor eax, eax
|
||
|
80 FA 80 cmp dl, 80h
|
||
|
0F 94 C0 setz al
|
||
|
03 C8 add ecx, eax
|
||
|
33 D2 xor edx, edx
|
||
|
83 F9 01 cmp ecx, 1
|
||
|
*/
|
||
|
|
||
|
$crypto = {
|
||
|
2? 00 20 00 00
|
||
|
3? 00 20 00 00
|
||
|
0F [2]
|
||
|
81 ?? 80 00 00 00
|
||
|
33 ??
|
||
|
80 ?? 80
|
||
|
0F [2]
|
||
|
03 ??
|
||
|
33 ??
|
||
|
83 ?? 01
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
all of ($auth*)
|
||
|
or $startupRelayThreads in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
or $crypto in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|