/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule FlyingKitten : rat { meta: Author = "CrowdStrike, Inc" Date = "2014/05/13" Description = "Flying Kitten RAT" Reference = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten" strings: $classpath = "Stealer.Properties.Resources.resources" $pdbstr = "\\Stealer\\obj\\x86\\Release\\Stealer.pdb" condition: all of them and uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x4550 and uint16(uint32(0x3C) + 0x16) & 0x2000 == 0 and ((uint16(uint32(0x3c)+24) == 0x010b and uint32(uint32(0x3c)+232) > 0) or (uint16(uint32(0x3c)+24) == 0x020b and uint32(uint32(0x3c)+248) > 0)) } rule CSIT_14003_03 : installer { meta: Author = "CrowdStrike, Inc" Date = "2014/05/13" Description = "Flying Kitten Installer" Reference = "http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten" strings: $exename = "IntelRapidStart.exe" $confname = "IntelRapidStart.exe.config" $cabhdr = { 4d 53 43 46 00 00 00 00 } condition: all of them }