Added OrcaRAT rule

Added OrcaRAT rule

Added OrcaRAT rule
92e6def7 · Yara Rules · 2fb9a5ac · 92e6def7
Commit 92e6def7 authored 9 years ago by Yara Rules
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

Miscelanea.yar malware/Miscelanea.yar +24 -0

No files found.
--- a/malware/Miscelanea.yar
+++ b/malware/Miscelanea.yar
@@ -591,3 +591,27 @@ strings:
 condition:
 	any of them
 }
+rule OrcaRAT
+{
+    meta:
+        Author      = "PwC Cyber Threat Operations"
+        Date        = "2014/10/20" 
+        Description = "Strings inside"
+        Reference   = "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
+    strings:
+        $MZ = "MZ"
+        $apptype1 = "application/x-ms-application"
+        $apptype2 = "application/x-ms-xbap"
+        $apptype3 = "application/vnd.ms-xpsdocument"
+        $apptype4 = "application/xaml+xml"
+        $apptype5 = "application/x-shockwave-flash"
+        $apptype6 = "image/pjpeg"
+        $err1 = "Set return time error =   %d!"
+        $err2 = "Set return time   success!"
+        $err3 = "Quit success!"
+    condition:
+        $MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
+}