import "pe" rule IndiaGolf { meta: copyright = "2015 Novetta Solutions" author = "Novetta Threat Research & Interdiction Group - trig@novetta.com" Source = "3dda69dfb254dcaea2ba6e8323d4b61ab1e130a0694f4c43d336cfb86a760c50" strings: /* FF D6 call esi ; rand 8B F8 mov edi, eax C1 E7 10 shl edi, 10h FF D6 call esi ; rand 03 F8 add edi, eax 89 7C 24 20 mov [esp+2A90h+var_2A70], edi FF D6 call esi ; rand 8B F8 mov edi, eax C1 E7 10 shl edi, 10h FF D6 call esi ; rand 03 F8 add edi, eax 89 7C 24 24 mov [esp+2A90h+var_2A6C], edi */ $generateRandomID = { FF ?? 8B ?? C1 ?? 10 FF ?? 03 F8 89 [3] FF ?? 8B ?? C1 ?? 10 FF ?? 03 ?? 89 } condition: $generateRandomID in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) }