-
Notifications
You must be signed in to change notification settings - Fork 1
/
RomeoGolf_mod.yara
36 lines (31 loc) · 1.43 KB
/
RomeoGolf_mod.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
// This rule has been modified by @mmorenog
// Original->$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4]}
// Final -> $idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
import "pe"
rule RomeoGolf
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - [email protected]"
Source = "7322d6b9328a9c708518c99b03a4ed3aa6ba943d7b439f6b1925e6d52a1828fe"
strings:
/*
FF 15 70 80 01 10 call ds:GetTickCount
50 push eax ; unsigned int
E8 80 93 00 00 call _srand
83 C4 04 add esp, 4
E8 85 93 00 00 call _rand
C1 E0 10 shl eax, 10h
89 46 0C mov [esi+0Ch], eax
E8 7A 93 00 00 call _rand
01 46 0C add [esi+0Ch], eax
E8 72 93 00 00 call _rand
C1 E0 10 shl eax, 10h
89 46 08 mov [esi+8], eax
E8 67 93 00 00 call _rand
01 46 08 add [esi+8], eax
*/
$idGen = {FF 15 [4] 50 E8 [4] 83 C4 04 E8 [4] C1 ?? 10 89 [2] E8 [4] 01 [2] E8 [4] C1 ?? 10 89 [2] E8 [4] ?? ?? ?? }
condition:
$idGen in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}