jRat and Yara Rules

For those who decides to read this on a more regular basis you will soon realize that my malware of choice at the moment are Remote Access Tools / Trojans  And while i was checking for updated versions of one of the ‘newer’ rats i was surprised to find the author had pulled the site down, complaining about its use by the Malware Crime / APT community. The site was down for about a week before coming back up again with two new versions. A free version that limits connections and forces a tray icon. And a VIP version purchased by Bit Coin that removes theses restrictions. He also released a removal tool, and a reversal tool that allows you to trivially reverse the AES encryption that’s used to cipher the RAT.

I will go in to a lot more detail about jRAT in a future post i just wanted to take the time to comment on this turnaround and to publish my first Public Yara Rule :)

For those of you who don&’t know what Yara is, think snort for malware. For those who don’t know what snort is then keep reading over the coming weeks ill be adding some sections for both of them .

See Yara for more details.

The following rule is tested working for jRat version 3.3.1 Its not valid for version 4 Free and until i can get hold of version 4 Paid i cant test.

Once i get my other samples out ill test against other sub versions but this should cover all 3.x standard builds. thats to say builds that dont have a FUD of some sort applied to them

rule jrat_remote_access_trojan
{
    meta:
        description = "jRAT Remote access Trojan "
        reference = "techanarchy.net, jrat.pro"
        author = "Kevin Breen <thehermit@techanarchy.net>"
        date = "2013-07"
        filetype = "Java"
        md5 = "39efba44cdbe40a0d6ed6deb8eff51fd"
    strings:
        $meta = "META-INF"
        $key = "key.dat"
        $conf = "config.dat"
        $conf2 = "conf.dat"
        $reClass1 = /[a-z]\.class/
        $reClass2 = /[a-z][a-f]\.class/

    condition:
       ($meta and $key) and ($conf or $conf2) and (#reClass1 > 10 and #reClass2 > 10)
}

Comments