-
Notifications
You must be signed in to change notification settings - Fork 167
/
Copy pathencrypt-data-using-xxtea.yml
executable file
·48 lines (48 loc) · 1.51 KB
/
encrypt-data-using-xxtea.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
rule:
meta:
name: encrypt data using XXTEA
namespace: data-manipulation/encryption/xxtea
authors:
- raymond.leong@mandiant.com
scopes:
static: function
dynamic: unsupported # requires operand[1].number, characteristic, mnemonic, Not features
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
references:
- https://en.wikipedia.org/wiki/XXTEA
examples:
- C3699D0C7BD1276184249A487C1F0D7F:0x0040D370
- 2F9FF544D5CC945B453356F9B20C07D8:0x0040AA10
features:
- and:
- basic block:
- and:
- instruction:
- mnemonic: mov
- operand[1].number: 0x34
- instruction:
- mnemonic: add
- operand[1].number: 0x6
- instruction:
- mnemonic: idiv
- basic block:
- and:
- instruction:
- mnemonic: shr
- operand[1].number: 0x3
- instruction:
- mnemonic: shr
- operand[1].number: 0x5
- instruction:
- mnemonic: shl
- operand[1].number: 0x4
- characteristic: tight loop
- characteristic: nzxor
- or:
- operand[1].number: 0x9E3779B9 = key schedule constant
- operand[1].number: 0x61C88647 = key schedule constant two's complement
- not:
- number: 0xC6EF3720 = tea sum, not used in xxtea