Skip to content

Commit

Permalink
RokRat payload signature.
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevoreilly
kevoreilly committed Feb 3, 2018
1 parent 337dd30 commit 2a19d47
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions data/yara/CAPE/RokRat.yar
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
rule RokRat
{
meta:
author = "kevoreilly"
description = "RokRat Payload"
cape_type = "RokRat Payload"
strings:
$code1 = {8B 57 04 8D 7F 04 33 57 FC 81 E2 FF FF FF 7F 33 57 FC 8B C2 24 01 0F B6 C0 F7 D8 1B C0 D1 EA 25 DF B0 08 99 33 87 30 06 00 00 33 C2 89 87 3C F6 FF FF 83 E9 01 75 C9}
$string1 = "/pho_%s_%d.jpg" wide
condition:
uint16(0) == 0x5A4D and (any of ($code*)) and (any of ($string*))
}

0 comments on commit 2a19d47

Please sign in to comment.