Skip to content

Commit c27e2b3

Browse files
kevoreillykevoreilly
authored
Merge pull request #2734 from enzok/yara_updates_01
Yara updates 01
2 parents 9469619 + 3b89448 commit c27e2b3

File tree

2 files changed

+23
-4
lines changed

2 files changed

+23
-4
lines changed

data/yara/CAPE/AdaptixBeacon.yar

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,13 @@ rule AdaptixBeacon
66
cape_type = "AdaptixBeacon Payload"
77
hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d"
88
strings:
9-
$conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04}
9+
$conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04 ?? E8}
1010
$conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24}
1111
$conf_3 = {E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 58 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 60 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 68}
12-
$wininet_1 = {B9 77 00 00 00 4? 89 50 28 E8 [4] B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24}
13-
$wininet_2 = {B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24 ?? E8 [4] B9 65 00 00 00 88 44 24}
12+
$conf_4 = {8D ?? ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 ?? 4? 8B ?? FF ?? ?? 4? 8B ?? 48 66 ?? 89 ?? ?? EB}
13+
$conf_5 = {48 89 ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 D9 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89 ?? 4? 89 ?? 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89}
14+
$wininet_1 = {B9 77 00 00 00 [0-4] E8 [4] B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24}
15+
$wininet_2 = {B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24 [0-4] E8 [4] B9 65 00 00 00 88 ?4 24}
1416
condition:
1517
1 of ($conf_*) and 1 of ($wininet_*)
16-
}
18+
}

data/yara/CAPE/NitroBunnyDownloader.yar

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
rule NitroBunnyDownloader
2+
{
3+
meta:
4+
author = "enzok"
5+
description = "NitroBunnyDownloader"
6+
cape_type = "NitroBunnyDownloader Payload"
7+
hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
8+
strings:
9+
$config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
10+
$string1 = "X-Amz-User-Agent:" wide
11+
$string2 = "Amz-Security-Flag:" wide
12+
$string3 = "/cart" wide
13+
$string4 = "Cookie: " wide
14+
$string5 = "wishlist" wide
15+
condition:
16+
uint16(0) == 0x5A4D and $config and 2 of ($string*)
17+
}

0 commit comments

Comments
 (0)