44 lines
1.1 KiB
Text
44 lines
1.1 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule TangoBravo
|
||
|
{
|
||
|
meta:
|
||
|
copyright = "2015 Novetta Solutions"
|
||
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
||
|
Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896"
|
||
|
|
||
|
strings:
|
||
|
/*
|
||
|
50 push eax ; SubStr
|
||
|
55 push ebp ; Str
|
||
|
FF D3 call ebx ; strstr
|
||
|
83 C4 08 add esp, 8
|
||
|
85 C0 test eax, eax
|
||
|
75 1A jnz short loc_401131
|
||
|
8A 8E 08 01 00 00 mov cl, [esi+108h]
|
||
|
81 C6 08 01 00 00 add esi, 108h
|
||
|
47 inc edi
|
||
|
8B C6 mov eax, esi
|
||
|
84 C9 test cl, cl
|
||
|
75 E2 jnz short loc_40110C
|
||
|
*/
|
||
|
|
||
|
$targetDomainCheck = {
|
||
|
5?
|
||
|
5?
|
||
|
FF ??
|
||
|
83 C4 08
|
||
|
85 C0
|
||
|
75 ??
|
||
|
8? ?? 08 01 00 00
|
||
|
8? ?? 08 01 00 00
|
||
|
4?
|
||
|
8B ??
|
||
|
84 ??
|
||
|
75
|
||
|
}
|
||
|
|
||
|
condition:
|
||
|
$targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
||
|
}
|