rule jar_with_images { meta: author = "ferasdour" purpose = "There was a java rat with an image file inside it that appears to have been used to prove the attacker's access into a network. This file was shared via virustotal and virusshare, don't want to associate hash because that's bad rule making" issues = "manifest.mf matches manifest of anything" strings: $jar_manifest = "MANIFEST.MF" fullword // needed because jar $png_file_ext = ".png" // can't use file headers inside of zip, using file ext $jpg_file_ext = ".jpg" $jpeg_file_ext = ".jpeg" $gif_file_ext = ".gif" $apk_file = "AndroidManifest.xml" // false positives due to android apk files containing both java file manifest as well as images condition: uint32(0) == 0x04034b50 and // multiple blog posts suggest this method for finding zip file headers, using "at 0" didn't work with clamav. $jar_manifest and ($png_file_ext or $jpg_file_ext or $jpeg_file_ext or $gif_file_ext) and not $apk_file }