Sneed-Reactivity/yara-mikesxrs/EmersonElectricCo/misc_compressed_exe.yara

51 lines
1.8 KiB
Text
Raw Permalink Normal View History

// Spec reference: http://forensicswiki.org/wiki/RAR#Format
rule compressed_exe_in_rar
{
meta:
author = "Jason Batchelor"
company = "Emerson"
lastmod = "20150813"
desc = "Detect on evidence of a compressed executable within a RAR"
strings:
$rar = { 52 61 72 21 1A 07 00 }
$file_header_part = { 74 [12] ( 00 | 01 | 02 | 03 | 04 | 05 ) [9] ( 30 | 31 | 32 | 33 | 34 | 35 ) }
$exe_ext = ".exe"
condition:
$rar at 0 and for any r in (1..#file_header_part):
// see if .exe is within the offset of the file archive header and however long the file name size is
// file name begins 30 bytes away from start of header
// file size is specified 24 bytes from the start
// limitation is if the HIGH_PACK_SIZE or HIGH_UNP_SIZE optional values are set, accuracy will be effected
($exe_ext in (@file_header_part[r] + 30..@file_header_part[r] + 30 + uint16(@file_header_part[r] + 24)))
}
// Spec reference: https://en.wikipedia.org/wiki/Zip_(file_format)#File_headers
rule compressed_exe_in_zip
{
meta:
author = "Jason Batchelor"
company = "Emerson"
lastmod = "20150813"
desc = "Detect on evidence of a compressed executable within a ZIP"
strings:
$pk = { 50 4B 03 04 }
$exe_ext = ".exe"
condition:
$pk at 0 and for any p in (1..#pk):
// see if .exe is within the offset of the local file header and however long the file name size is
// file name begins 30 bytes away from the start of the local file header
// file size is specified 26 bytes from the start
($exe_ext in (@pk[p] + 30..@pk[p] + 30 + uint16(@pk[p] + 26)))
}
rule misc_compressed_exe
{
condition:
compressed_exe_in_zip or compressed_exe_in_rar
}