08e8d462fe
RED PILL 🔴 💊
49 lines
No EOL
2.2 KiB
Text
49 lines
No EOL
2.2 KiB
Text
import "pe"
|
|
|
|
rule WhiskeyBravo
|
|
{
|
|
meta:
|
|
copyright = "2015 Novetta Solutions"
|
|
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
|
|
Source = "74eac0461c40316689ac2d598f606caa3965195b22f23d5acefeedfcdf056c5b"
|
|
Source = "41badf10ef6f469dd1c3be201aba809f9c42f86ad77d7f83bc3895bfa289c635"
|
|
Source = "d079a266ed2a852c33cdac3df115d163ebbf2c8dae32d935e895cf8193163b13"
|
|
|
|
strings:
|
|
/*
|
|
6A 04 push 4 ; MaxCount <--- this arg is not found in some variants (41bad..) as wcscmp is used instead
|
|
68 08 82 00 10 push offset Str2 ; ".doc"
|
|
56 push esi ; Str1
|
|
FF D7 call edi ; _wcsnicmp <--- d07... variant uses a direct call instead
|
|
83 C4 0C add esp, 0Ch <--- when wcscmp is used, this is add esp, 8
|
|
85 C0 test eax, eax
|
|
0F 84 5B 02 00 00 jz loc_100017D5
|
|
6A 05 push 5 ; MaxCount
|
|
68 FC 81 00 10 push offset a_docx ; ".docx"
|
|
56 push esi ; Str1
|
|
FF D7 call edi ; _wcsnicmp
|
|
83 C4 0C add esp, 0Ch
|
|
85 C0 test eax, eax
|
|
0F 84 46 02 00 00 jz loc_100017D5
|
|
6A 04 push 4 ; MaxCount
|
|
68 F0 81 00 10 push offset a_docm ; ".docm"
|
|
56 push esi ; Str1
|
|
FF D7 call edi ; _wcsnicmp
|
|
83 C4 0C add esp, 0Ch
|
|
85 C0 test eax, eax
|
|
0F 84 31 02 00 00 jz loc_100017D5
|
|
6A 04 push 4 ; MaxCount
|
|
68 E4 81 00 10 push offset a_wpd ; ".wpd"
|
|
56 push esi ; Str1
|
|
FF D7 call edi ; _wcsnicmp
|
|
*/
|
|
|
|
$a = {68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 [4] [0-2] 68 [4] 5? FF D? 83 C4 0C 85 C0 0F 84 }
|
|
|
|
$ext1 = ".wpd" wide nocase
|
|
$ext2 = ".doc" wide nocase
|
|
$ext3 = ".hwp" wide nocase
|
|
|
|
condition:
|
|
2 of ($ext*) and $a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
|
|
} |