34 lines
722 B
Text
34 lines
722 B
Text
|
rule OrcaRAT
|
||
|
{
|
||
|
meta:
|
||
|
author = "PwC Cyber Threat Operations :: @tlansec"
|
||
|
distribution = "TLP WHITE"
|
||
|
sha1 = "253a704acd7952677c70e0c2d787791b8359efe2c92a5e77acea028393a85613"
|
||
|
strings:
|
||
|
|
||
|
$MZ="MZ"
|
||
|
|
||
|
$apptype1="application/x-ms-application"
|
||
|
|
||
|
$apptype2="application/x-ms-xbap"
|
||
|
|
||
|
$apptype3="application/vnd.ms-xpsdocument"
|
||
|
|
||
|
$apptype4="application/xaml+xml"
|
||
|
|
||
|
$apptype5="application/x-shockwave-flash"
|
||
|
|
||
|
$apptype6="image/pjpeg"
|
||
|
|
||
|
$err1="Set return time error = %d!"
|
||
|
|
||
|
$err2="Set return time success!"
|
||
|
|
||
|
$err3="Quit success!"
|
||
|
|
||
|
|
||
|
|
||
|
condition:
|
||
|
|
||
|
$MZ at 0 and filesize < 500KB and (all of ($apptype*) and 1 of ($err*))
|
||
|
}
|