From 14feb043bab65aab5669022498413702c7dc0870 Mon Sep 17 00:00:00 2001 From: ditekshen Date: Wed, 27 Dec 2023 10:00:36 +0300 Subject: [PATCH] Add and update rules --- data/yara/CAPE/EspioLoader.yar | 2 +- data/yara/CAPE/Simda.yar | 18 ++++++++++++++++++ data/yara/binaries/indicator_suspicious.yar | 6 ++++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 data/yara/CAPE/Simda.yar diff --git a/data/yara/CAPE/EspioLoader.yar b/data/yara/CAPE/EspioLoader.yar index 2daeb94d..c4be4ba6 100644 --- a/data/yara/CAPE/EspioLoader.yar +++ b/data/yara/CAPE/EspioLoader.yar @@ -2,7 +2,7 @@ rule EspioLoader { meta: author = "ditekSHen" description = "Detects Espio shellcode loader and obfuscator" - cape_type = "EspioLoader Loader Payload" + cape_type = "EspioLoader Payload" strings: $pdb = /\\loader\\x64\\(Release|Debug)\\Espio\.pdb/ ascii $s1 = "obfuscatedPayload" fullword wide diff --git a/data/yara/CAPE/Simda.yar b/data/yara/CAPE/Simda.yar new file mode 100644 index 00000000..a5c02706 --- /dev/null +++ b/data/yara/CAPE/Simda.yar @@ -0,0 +1,18 @@ +rule Simda { + meta: + author = "ditekShen" + description = "Detects Simda / Shifu infostealer" + cape_type = "Simda Payload" + strings: + $s1 = "command=auth_loginByPassword&back_command=&back_custom1=&" fullword ascii + $s2 = "iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clma" ascii + $s3 = "debug_%s_%s.log" fullword ascii + $s4 = "Content-Disposition: form-data; name=\"file\"; filename=\"report\"" ascii + $s5 = "name=%s&port=%u" ascii + $s6 = "id=%s&ver=4.0.1&up=%u&os=%03u&rights=%s<ime=%s%d&token=%d" ascii + $s7 = "{BotVer:" fullword ascii + $s8 = "software\\microsoft\\windows nt\\currentversion\\winlogon" ascii + $s9 = /(!|&|data_)inject(=ok)?/ fullword ascii + condition: + uint16(0) == 0x5a4d and 6 of them +} diff --git a/data/yara/binaries/indicator_suspicious.yar b/data/yara/binaries/indicator_suspicious.yar index d518aa12..a7e0da2a 100644 --- a/data/yara/binaries/indicator_suspicious.yar +++ b/data/yara/binaries/indicator_suspicious.yar @@ -1190,6 +1190,8 @@ rule INDICATOR_Binary_Embedded_Cryptocurrency_Wallet_Browser_Extension_IDs { $s91 = "egjidjbpglichdcondbcbdnbeeppgdph" ascii wide nocase // Trust Wallet $s92 = "pnndplcbkakcplkjnolgbkdgjikjednm" ascii wide nocase // Tronium $s93 = "gojhcdgcpbpfigcaejpfhfegekdgiblk" ascii wide nocase // Opera Wallet + $s94 = "djclckkglechooblngghdinmeemkbgci" ascii wide nocase // MetaMask + $s95 = "jnmbobjmhlngoefaiojfljckilhhlhcj" ascii wide nocase // OneKey condition: (uint16(0) == 0x5a4d and 8 of them) or (12 of them) } @@ -1214,6 +1216,10 @@ rule INDICATOR_Binary_Embedded_MFA_Browser_Extension_IDs { $s13 = "fmhmiaejopepamlcjkncpgpdjichnecm" ascii wide nocase // KeePass Tusk $s14 = "nngceckbapebfimnlniiiahkandclblb" ascii wide nocase // Bitwarden $s15 = "fiedbfgcleddlbcmgdigjgdfcggjcion" ascii wide nocase // Microsoft AutoFill + $s16 = "bfogiafebfohielmmehodmfbbebbbpei" ascii wide nocase // Keeper + $s17 = "jhfjfclepacoldmjmkmdlmganfaalklb" ascii wide nocase // Splikity + $s18 = "chgfefjpcobfbnpmiokfjjaglahmnded" ascii wide nocase // CommonKey + $s19 = "igkpcodhieompeloncfnbekccinhapdb" ascii wide nocase // Zoho Vault condition: (uint16(0) == 0x5a4d and 5 of them) or (8 of them) }