-
Notifications
You must be signed in to change notification settings - Fork 1
/
TangoBravo.yara
30 lines (26 loc) · 1.08 KB
/
TangoBravo.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import "pe"
rule TangoBravo
{
meta:
copyright = "2015 Novetta Solutions"
author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
Source = "2aa9cd3a2db2bd9dbe5ee36d9a5fc42b50beca806f9d644f387d5a680a580896"
strings:
/*
50 push eax ; SubStr
55 push ebp ; Str
FF D3 call ebx ; strstr
83 C4 08 add esp, 8
85 C0 test eax, eax
75 1A jnz short loc_401131
8A 8E 08 01 00 00 mov cl, [esi+108h]
81 C6 08 01 00 00 add esi, 108h
47 inc edi
8B C6 mov eax, esi
84 C9 test cl, cl
75 E2 jnz short loc_40110C
*/
$targetDomainCheck = {5? 5? FF ?? 83 C4 08 85 C0 75 ?? 8? ?? 08 01 00 00 8? ?? 08 01 00 00 4? 8B ?? 84 ?? 75 }
condition:
$targetDomainCheck in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}