encrypt data using RC4 PRGA

rule:
  meta:
    name: encrypt data using RC4 PRGA
    namespace: data-manipulation/encryption/rc4
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires characteristic, mnemonic, basicblock features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Cryptography::Encrypt Data::RC4 [C0027.009]
      - Cryptography::Generate Pseudo-random Sequence::RC4 PRGA [C0021.004]
    examples:
      - 34404A3FB9804977C6AB86CB991FB130:0x403DB0
      - 34404A3FB9804977C6AB86CB991FB130:0x403E50
      - 9324D1A8AE37A36AE560C37448C9705A:0x4049F0
      - 73CE04892E5F39EC82B00C02FC04C70F:0x4064C6
  features:
    - and:
      # TODO: maybe add characteristic for nzxor reg size
      - count(characteristic(nzxor)): 1
      - or:
        - match: calculate modulo 256 via x86 assembly
        # compiler may do this via zero-extended mov from 8-bit register
        - count(mnemonic(movzx)): 4 or more
      # should not call (many) functions
      - count(characteristic(calls from)): (0, 4)
      # should not be too simple or too complex (50 is picked by intuition)
      - count(basic blocks): (4, 50)
      - match: contain loop
      - optional:
        - or:
          - number: 0xFF
          - number: 0x100