Sneed-Reactivity/yara-mikesxrs/Novetta/IndiaEcho.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

54 lines
No EOL
1.5 KiB
Text

import "pe"
rule IndiaEcho
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "66a21f8c72bb4f314604526e9bf1736f75b06cf37dd3077eb292941b476c3235"
strings:
/*
69 C0 28 01 00 00 imul eax, 128h
50 push eax ; size_t
53 push ebx ; int
FF B5 AC FD FF FF push [ebp+configRecords]; void *
E8 6E 08 00 00 call _memset
8B 85 A4 FC FF FF mov eax, [ebp+var_35C.dwRecordCnt]
69 C0 28 01 00 00 imul eax, 128h
50 push eax ; size_t
8B 85 C4 FE FF FF mov eax, [ebp+hMem]
05 08 01 00 00 add eax, 108h
50 push eax ; void *
FF B5 AC FD FF FF push [ebp+configRecords]; void *
E8 0A 05 00 00 call _memcpy
83 C4 18 add esp, 18h
8B BD A4 FC FF FF mov edi, [ebp+var_35C.dwRecordCnt]
69 FF 28 01 00 00 imul edi, 128h
81 C7 08 01 00 00 add edi, 108h
*/
$a = {
69 ?? 28 01 00 00
5?
5?
FF B5 [4]
E8 [4]
8B [5]
69 ?? 28 01 00 00
50
8B [5]
(05 08 01 00 00 | 03 ??)
50
FF [5]
E8 [4]
83 C4 ??
8B [5]
69 ?? 28 01 00 00
(81 C7 08 01 00 00 | 03 ??)
}
condition:
$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}