Add signatures

CAPESandbox · Nov 30, 2023 · 0515170 · 0515170
1 parent 3cbad1c
commit 0515170
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 0 deletions.
diff --git a/data/yara/CAPE/DiscoNightClub.yar b/data/yara/CAPE/DiscoNightClub.yar
@@ -0,0 +1,20 @@
+rule DiscoNightClub {
+    meta:
+        author = "ditekSHen"
+        description = "Hunts for Disco NightClub"
+        cape_type = "DiscoNightClub Payload"
+    strings:
+        $s1 = "\\OfficeBroker\\OfficeBroker.exe" ascii wide nocase
+        $s2 = "\\EDGEUPDATE\\EDGEAOUT" ascii wide nocase
+        $s3 = "\\EDGEUPDATE\\update" ascii wide nocase
+        $s4 = "windows.system.update.com" ascii wide nocase
+        $s5 = "edgeupdate-security-windows.com" ascii wide nocase
+        $s6 = "nightclub::" ascii wide nocase
+        $s7 = "EncryptedPasswordFlt" ascii wide nocase
+        $s8 = "Microsoft\\def\\Gfr45.cfg" ascii wide nocase
+        $s9 = "::keylog::" ascii wide nocase
+        $pdb1 = "\\AbcdMainProject\\Rootsrc\\Projects\\MainS\\Ink\\" ascii wide nocase
+        $pdb2 = "\\Autogen\\Kh\\AutogenAlg\\" ascii wide nocase
+    condition: 
+        uint16(0) == 0x5a4d and ((1 of ($pdb*) and 2 of ($s*)) or (4 of ($s*)))
+}
diff --git a/data/yara/CAPE/R77.yar b/data/yara/CAPE/R77.yar
@@ -0,0 +1,29 @@
+import "pe"
+
+rule R77 {
+    meta:
+        author = "ditekSHen"
+        description = "Detects r77 rootkit"
+        cape_type = "R77 Payload"
+    strings:
+        $s1 = "startup" fullword wide
+        $s2 = "process_names" fullword wide
+        $s3 = "paths" fullword wide
+        $s4 = "service_names" fullword wide
+        $s5 = "tcp_local" fullword wide
+        $s6 = "tcp_remote" fullword wide
+        $s7 = "\\\\.\\pipe\\" wide
+        $s8 = "SOFTWARE\\" wide
+    condition:
+        uint16(0) == 0x5a4d and (
+            all of ($s*) or 
+            (5 of them and pe.exports("ReflectiveDllMain")) or
+            (5 of them and 
+                for any i in (0 .. pe.number_of_sections) : (
+                    (
+                        pe.sections[i].name == ".detourd"
+                    )
+                )
+            )
+        )
+}
diff --git a/data/yara/binaries/indicator_tools.yar b/data/yara/binaries/indicator_tools.yar
@@ -1,3 +1,5 @@
+import "pe"
+
 rule INDICATOR_TOOL_PWS_LaZagne {
     meta:
         description = "Detects LaZagne post-exploitation password stealing tool. It is typically embedded with malware in the binary resources."
@@ -1732,3 +1734,22 @@ rule INDICATOR_TOOL_Pandora {
     condition:
         uint16(0) == 0x5a4d and 5 of them
 }
+
+rule INDICATOR_TOOL_Havoc {
+    meta:
+        author = "ditekSHen"
+        description = "Detects Havoc Demon"
+    strings:
+        $x1 = "X-Havoc:" wide
+        $x2 = "X-Havoc-Agent:" wide
+        $s1 = "\\Werfault.exe" wide
+        $s2 = "/funny_cat.gif" wide
+    condition:
+        uint16(0) == 0x5a4d and (all of ($x*) or 3 of them or
+            (
+                pe.number_of_imports == 0 and 
+                pe.number_of_exports == 0 and 
+                2 of them
+            ) 
+        )
+}