UniformJuliett.yara

rule UniformJuliett
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "Cmd03000_1a6f62e1630d512c3b67bfdbff26270177585c82802ffa834b768ff47be0a008.bin"

	strings:
		/*
			56                 push    esi             ; hSCObject
			FF D5              call    ebp ; CloseServiceHandle
			68 B8 0B 00 00     push    0BB8h           ; dwMilliseconds
			FF 15 38 70 40 00  call    ds:Sleep
			6A 00              push    0               ; fCreateHighestLevel
			68 60 A9 40 00     push    offset PathName ; lpPathName
			E8 43 FE FF FF     call    RecursivelyCreateDirectories
			83 C4 08           add     esp, 8
			68 60 A9 40 00     push    offset PathName ; lpFileName
			FF 15 3C 70 40 00  call    ds:DeleteFileA
		*/
		
		$a = {56 FF D5 68 B8 0B 00 00 FF 15 [4] 6A 00 68 [4] E8 [4] 83 C4 08 68 [4] FF 15}
		
		$ = "wauserv.dll"
		$ = "Rpcss"
	
	condition:
		all of them
}