Add and update rules

CAPESandbox · Dec 27, 2023 · 14feb04 · 14feb04
1 parent 72047cb
commit 14feb04
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/data/yara/CAPE/EspioLoader.yar b/data/yara/CAPE/EspioLoader.yar
@@ -2,7 +2,7 @@ rule EspioLoader {
     meta:
         author = "ditekSHen"
         description = "Detects Espio shellcode loader and obfuscator"
-        cape_type = "EspioLoader Loader Payload"
+        cape_type = "EspioLoader Payload"
     strings:
         $pdb = /\\loader\\x64\\(Release|Debug)\\Espio\.pdb/ ascii
         $s1 = "obfuscatedPayload" fullword wide

diff --git a/data/yara/CAPE/Simda.yar b/data/yara/CAPE/Simda.yar
@@ -0,0 +1,18 @@
+rule Simda {
+    meta:
+        author = "ditekShen"
+        description = "Detects Simda / Shifu infostealer"
+        cape_type = "Simda Payload"
+    strings:
+        $s1 = "command=auth_loginByPassword&back_command=&back_custom1=&" fullword ascii
+        $s2 = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clma" ascii
+        $s3 = "debug_%s_%s.log" fullword ascii
+        $s4 = "Content-Disposition: form-data; name=\"file\"; filename=\"report\"" ascii
+        $s5 = "name=%s&port=%u" ascii
+        $s6 = "id=%s&ver=4.0.1&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d" ascii
+        $s7 = "{BotVer:" fullword ascii
+        $s8 = "software\\microsoft\\windows nt\\currentversion\\winlogon" ascii
+        $s9 = /(!|&|data_)inject(=ok)?/ fullword ascii
+    condition:
+      uint16(0) == 0x5a4d and 6 of them
+}
diff --git a/data/yara/binaries/indicator_suspicious.yar b/data/yara/binaries/indicator_suspicious.yar
@@ -1190,6 +1190,8 @@ rule INDICATOR_Binary_Embedded_Cryptocurrency_Wallet_Browser_Extension_IDs {
         $s91 = "egjidjbpglichdcondbcbdnbeeppgdph" ascii wide nocase // Trust Wallet
         $s92 = "pnndplcbkakcplkjnolgbkdgjikjednm" ascii wide nocase // Tronium
         $s93 = "gojhcdgcpbpfigcaejpfhfegekdgiblk" ascii wide nocase // Opera Wallet
+        $s94 = "djclckkglechooblngghdinmeemkbgci" ascii wide nocase // MetaMask
+        $s95 = "jnmbobjmhlngoefaiojfljckilhhlhcj" ascii wide nocase // OneKey
     condition:
         (uint16(0) == 0x5a4d and 8 of them) or (12 of them)
 }
@@ -1214,6 +1216,10 @@ rule INDICATOR_Binary_Embedded_MFA_Browser_Extension_IDs {
         $s13 = "fmhmiaejopepamlcjkncpgpdjichnecm" ascii wide nocase // KeePass Tusk
         $s14 = "nngceckbapebfimnlniiiahkandclblb" ascii wide nocase // Bitwarden
         $s15 = "fiedbfgcleddlbcmgdigjgdfcggjcion" ascii wide nocase // Microsoft AutoFill
+        $s16 = "bfogiafebfohielmmehodmfbbebbbpei" ascii wide nocase // Keeper
+        $s17 = "jhfjfclepacoldmjmkmdlmganfaalklb" ascii wide nocase // Splikity
+        $s18 = "chgfefjpcobfbnpmiokfjjaglahmnded" ascii wide nocase // CommonKey
+        $s19 = "igkpcodhieompeloncfnbekccinhapdb" ascii wide nocase // Zoho Vault
     condition:
         (uint16(0) == 0x5a4d and 5 of them) or (8 of them)
 }