encrypt data using RC4 with custom key via WinAPI

rule:
  meta:
    name: encrypt data using RC4 with custom key via WinAPI
    namespace: data-manipulation/encryption/rc4
    authors:
      - blaine.stancill@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires bytes features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
      - Cryptography::Encrypt Data::RC4 [C0027.009]
    references:
      - https://www.phdcc.com/cryptorc4.htm
    examples:
      - 4E9C546A54E40D0DA89BB4616DD7F8C4:0x140007B70
      - A563C50C5FA0FD541248ACAF72CC4E7D:0x401AF0
  features:
    - and:
      - api: CryptImportKey
      - number: 0x4C = SimpleBlobRC4KeyTemplate size
      - bytes: 01 02 00 00 01 68 00 00 00 A4 00 00 = SimpleBlobRC4KeyTemplate header
      - number: 0x134 = PrivateKeyWithExponentOfOne size
      - bytes: 07 02 00 00 00 A4 00 00 52 53 41 32 00 02 00 00 01 00 00 00 AB EF FA C6 7D E8 DE FB 68 38 09 92 D9 42 7E 6B 89 9E 21 D7 52 1C 99 3C 17 48 4E 3A 44 02 F2 FA 74 57 DA E4 D3 C0 35 67 FA 6E DF 78 4C 75 35 1C A0 74 49 E3 20 13 71 35 65 DF 12 20 F5 F5 F5 C1 ED 5C 91 36 75 B0 A9 9C 04 DB 0C 8C BF 99 75 13 7E 87 80 4B 71 94 B8 00 A0 7D B7 53 DD 20 63 EE F7 83 41 FE 16 A7 6E DF 21 7D 76 C0 85 D5 65 7F 00 23 57 45 52 02 9D EA 69 AC 1F FD 3F 8C 4A D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 D5 AA B1 A6 03 18 92 03 AA 31 2E 48 4B 65 20 99 CD C6 0C 15 0C BF 3E FF 78 95 67 B1 74 5B 60 01 00 00 00 00 00 00 00 00 00 00 00 = PrivateKeyWithExponentOfOne
      - match: contain loop # Copies RC4 key in reverse order
      - optional:
        - or:
          - number: 1 = PROV_RSA_FULL
          - api: CryptAcquireContext
          - api: CryptEncrypt