From d3b397d46d675ca62fbdfd08163390218ff15d4e Mon Sep 17 00:00:00 2001
From: Andriy Brukhovetskyy <abrukhovetskyy@google.com>
Date: Tue, 23 Jul 2024 08:52:37 +0200
Subject: [PATCH] kig rat

---
 data/yara/CAPE/VenomRAT.yar |  2 +-
 data/yara/CAPE/XWorm.yar    | 19 +++++++++++++++++++
 data/yara/CAPE/Xenorat.yar  | 14 ++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 data/yara/CAPE/Xenorat.yar

diff --git a/data/yara/CAPE/VenomRAT.yar b/data/yara/CAPE/VenomRAT.yar
index 29b34e32..26ad89b0 100644
--- a/data/yara/CAPE/VenomRAT.yar
+++ b/data/yara/CAPE/VenomRAT.yar
@@ -19,7 +19,7 @@ rule VenomRAT {
 rule venomrat_kingrat {
     meta:
         author = "jeFF0Falltrades"
-		cape_type = "VenomRat Payload"
+	cape_type = "VenomRat Payload"
 
     strings:
         $str_id_venomrat = "venomrat" wide ascii nocase
diff --git a/data/yara/CAPE/XWorm.yar b/data/yara/CAPE/XWorm.yar
index 68d8c620..6c356c9c 100644
--- a/data/yara/CAPE/XWorm.yar
+++ b/data/yara/CAPE/XWorm.yar
@@ -25,3 +25,22 @@ rule XWorm {
     condition:
         uint16(0) == 0x5a4d and ((1 of ($x*) and (3 of ($s*) or 3 of ($v2*))) or 6 of them)
 }
+
+rule xworm_kingrat {
+    meta:
+        author = "jeFF0Falltrades"
+        cape_type = "Xworm payload"
+    strings:
+        $str_xworm = "xworm" wide ascii nocase
+        $str_xwormmm = "Xwormmm" wide ascii
+        $str_xclient = "XClient" wide ascii
+        $str_default_log = "\\Log.tmp" wide ascii
+        $str_create_proc = "/create /f /RL HIGHEST /sc minute /mo 1 /t" wide ascii 
+        $str_ddos_start = "StartDDos" wide ascii 
+        $str_ddos_stop = "StopDDos" wide ascii
+        $str_timeout = "timeout 3 > NUL" wide ascii
+        $byte_md5_hash = { 7e [3] 04 28 [3] 06 6f }
+        $patt_config = { 72 [3] 70 80 [3] 04 }
+    condition:
+        5 of them and #patt_config >= 7
+ }
diff --git a/data/yara/CAPE/Xenorat.yar b/data/yara/CAPE/Xenorat.yar
new file mode 100644
index 00000000..18200741
--- /dev/null
+++ b/data/yara/CAPE/Xenorat.yar
@@ -0,0 +1,14 @@
+ rule xenorat {
+    meta:
+        author = "jeFF0Falltrades"
+        cape_type = "Xenorat payload"
+    strings:
+        $str_xeno_rat_1 = "xeno rat" wide ascii nocase
+        $str_xeno_rat_2 = "xeno_rat" wide ascii nocase
+        $str_xeno_update_mgr = "XenoUpdateManager" wide ascii
+        $str_nothingset = "nothingset" wide ascii 
+        $byte_enc_dec_pre = { 1f 10 8d [4] (0a | 0b) }
+        $patt_config = { 72 [3] 70 80 [3] 04 }
+    condition:
+        4 of them and #patt_config >= 5
+ }