86 lines
2.3 KiB
Text
86 lines
2.3 KiB
Text
|
// rules specific to the winsec malware families
|
||
|
import "pe"
|
||
|
|
||
|
rule RomeoWhiskey_Two
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "a8d88714f0bc643e76163d1b8972565e78a159292d45a8218d0ad0754c8f561d"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
FF 15 78 A2 00 10 call GetTickCount_9
|
||
|
66 8B C8 mov cx, ax
|
||
|
|
||
|
// the next op is a mov or a push/pop depending on the code version
|
||
|
53 push ebx
|
||
|
8F 45 F4 pop dword ptr [ebp-0Ch]
|
||
|
//or
|
||
|
89 5D F4 mov dword ptr [ebp+var_C], ebx
|
||
|
|
||
|
|
||
|
66 81 F1 40 1C xor cx, 1C40h
|
||
|
66 D1 E9 shr cx, 1
|
||
|
81 C1 E0 56 00 00 add ecx, 56E0h
|
||
|
0F B7 C9 movzx ecx, cx
|
||
|
0F B7 C0 movzx eax, ax
|
||
|
81 F1 30 32 00 00 xor ecx, 3230h
|
||
|
C1 E0 10 shl eax, 10h
|
||
|
0B C8 or ecx, eax
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
FF 15 [4]
|
||
|
66 8B C8
|
||
|
[3-4]
|
||
|
66 81 F1 40 1C
|
||
|
66 D1 E9
|
||
|
81 C1 E0 56 00 00
|
||
|
0F B7 C9
|
||
|
0F B7 C0
|
||
|
81 F1 30 32 00 00
|
||
|
C1 E0 10
|
||
|
0B C8
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|
||
|
|
||
|
rule RomeoWhiskey_One
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "5d21e865d57e9798ac7c14a6ad09c4034d103f3ea993295dcdf8a208ea825ad7"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
FF 15 D8 5B 00 10 call GetTickCount_9
|
||
|
0F B7 C0 movzx eax, ax
|
||
|
8B C8 mov ecx, eax
|
||
|
// skipped: 6A 01 push 1 ; fDecode
|
||
|
C1 E9 34 shr ecx, 34h <--- this value could change
|
||
|
81 F1 C0 F3 00 00 xor ecx, 0F3C0h <--- this value could change
|
||
|
// skipped: 6A 04 push 4 ; dwLength
|
||
|
C1 E0 10 shl eax, 10h
|
||
|
0B C8 or ecx, eax
|
||
|
*/
|
||
|
|
||
|
$a = {
|
||
|
FF 15 [4]
|
||
|
0F B7 C0
|
||
|
8B C8
|
||
|
[2-4]
|
||
|
C1 E9 ??
|
||
|
81 F1 [2] 00 00
|
||
|
[0-2]
|
||
|
C1 E0 10
|
||
|
0B C8
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|