Add and update rules

CAPESandbox · Sep 6, 2024 · df226ac · df226ac
1 parent bdfbc75
commit df226ac
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 8 deletions.
diff --git a/data/yara/CAPE/KTLVdoor.yar b/data/yara/CAPE/KTLVdoor.yar
@@ -0,0 +1,35 @@
+rule KTLVdoor {
+    meta:
+        author = "ditekshen"
+        description = "Detects KTLVdoor"
+        cape_type = "KTLVdoor Payload"
+    strings:
+        $s1 = "/cmd/acc/agent_acc" ascii
+        $s2 = "main.DLLWMain" ascii
+        $s3 = "main.checkSilent" ascii
+        $h1 = ".handleInteractiveShell" ascii
+        $h2 = ".handleNetstat" ascii
+        $h3 = ".handleProcess" ascii
+        $h4 = ".handleRefreshHostInfo" ascii
+        $h5 = ".handleTimestomp" ascii
+        $h6 = ".handleSoInject" ascii
+        $h7 = ".HandleRegInfo" ascii
+        $h8 = ".handlePortscan" ascii
+        $h9 = ".handleReflectDllInject" ascii
+        $h10 = ".handleFileDownload" ascii
+        $f1 = ".RdpWithNTLM." ascii
+        $f2 = ".FingerPrintOs." ascii
+        $f3 = ".ScanWMI." ascii
+        $f4 = ".ScanWinRM." ascii
+        $f5 = ".ScanWeb." ascii
+        $f6 = ".ScanSmb2." ascii
+        $f7 = ".ScanRDP." ascii
+        $f8 = ".ScanPing." ascii
+        $f9 = ".ScanOxid." ascii
+        $f10 = ".ScanMssql." ascii
+        $f11 = ".ScanBanner." ascii
+        $fr1 = /\.proxy[CS]2[CS](TC|UD)P/ ascii
+        $fr2 = /\.Scan(WMI|WinRM|Web|Smb2|RDP|Ping|Oxid|Mssql|Banner)\./ ascii
+    condition:
+        (uint16(0) == 0x5a4d or uint16(0) == 0x457f) and ((6 of ($h*)) or (12 of ($f*)) or (2 of ($h*) and 4 of ($f*)) or (1 of ($s*) and (4 of ($h*) or 4 of ($f*))) or (13 of them))
+}
diff --git a/data/yara/CAPE/LightHand.yar b/data/yara/CAPE/LightHand.yar
@@ -0,0 +1,29 @@
+rule LightHand {
+    meta:
+        author = "ditekshen"
+        description = "Detects LightHand"
+        cape_type = "LightHand Payload"
+    strings:
+        $x1 = "27.102." ascii
+        $x2 = "109.248.150.179" fullword ascii
+        $s1 = /Hello (Client|Server)/ fullword ascii
+        $s2 = "%s|%s|%s|%s|%s|%s|" fullword wide
+        $s3 = "%s\\cmd.exe" fullword wide
+        $s4 = "Remote PC" fullword wide
+        $s5 = { 2e 62 61 74 [3-4] 3a 4c 31 0d 0a 64 65 6c
+                20 2f 46 20 22 25 73 22 0d 0a 69 66 20 65 78 69
+                73 74 20 22 25 73 22 20 67 6f 74 6f 20 4c 31 0d
+                0a 64 65 6c 20 2f 46 20 22 25 73 22 0d 0a 00 00
+                6f 70 65 6e }
+        $s6 = { 25 00 2e 00 32 00 66 00 47 00 42 00 00 00 00 00
+                25 00 73 00 7c 00 25 00 73 00 7c 00 25 00 73 00
+                0a 00 00 00 00 00 00 00 5c 00 2a 00 2e 00 2a 00
+                00 00 00 00 0a 00 00 00 2e 00 00 00 2e 00 2e 00
+                00 00 00 00 00 00 00 00 46 00 6f 00 6c 00 64 00
+                65 00 72 00 00 00 00 00 25 00 73 00 5c 00 25 00
+                73 00 00 00 00 00 00 00 25 00 64 00 42 00 00 00
+                25 00 2e 00 31 00 66 00 4b 00 42 00 00 00 00 00
+                25 00 2e 00 31 00 66 00 4d 00 42 }
+    condition:
+        uint16(0) == 0x5a4d and ((5 of ($s*)) or (1 of ($x*) and 3 of ($s*)))
+}
diff --git a/data/yara/CAPE/TigerRAT.yar b/data/yara/CAPE/TigerRAT.yar
@@ -1,18 +1,20 @@
 rule TigerRAT {
     meta:
-        author = "ditekSHen"
+        author = "ditekshen"
         description = "Detects TigerRAT"
         cape_type = "TigerRAT Payload"
     strings:
-        $m1 = ".?AVModuleKeyLogger@@" fullword ascii
-        $m2 = ".?AVModulePortForwarder@@" fullword ascii
-        $m3 = ".?AVModuleScreenCapture@@" fullword ascii
-        $m4 = ".?AVModuleShell@@" fullword ascii
+        $m0 = ".?AVCryptorRC4@@" fullword ascii
+        $m1 = ".?AVModuleShell@@" fullword ascii
+        $m2 = ".?AVModuleKeyLogger@@" fullword ascii
+        $m3 = ".?AVModuleSocksTunnel@@" fullword ascii
+        $m4 = ".?AVModuleScreenCapture@@" fullword ascii
+        $m5 = ".?AVModulePortForwarder@@" fullword ascii
         $s1 = "\\x9891-009942-xnopcopie.dat" fullword wide
         $s2 = "(%02d : %02d-%02d %02d:%02d:%02d)--- %s[Clipboard]" fullword ascii
         $s3 = "[%02d : %02d-%02d %02d:%02d:%02d]--- %s[Title]" fullword ascii
-        $s4 = "del \"%s\"%s \"%s\" goto " ascii
-        $s5 = "[<<]" fullword ascii
+        $s4 = "~KPTEMP" fullword wide
+        $s5 = "del \"%s\"%s \"%s\" goto " ascii
     condition:
-        uint16(0) == 0x5a4d and (all of ($s*) or (all of ($m*) and 1 of ($s*)) or (2 of ($m*) and 2 of ($s*)))
+        uint16(0) == 0x5a4d and ((all of ($s*)) or (5 of ($m*)) or (3 of ($m*) and 2 of ($s*)) or (5 of them))
 }
diff --git a/data/yara/CAPE/ValidAlpha.yar b/data/yara/CAPE/ValidAlpha.yar
@@ -0,0 +1,18 @@
+rule ValidAlpha {
+    meta:
+        author = "ditekshen"
+        description = "Detects ValidApha / BlackRAT"
+        cape_type = "ValidAlpha Payload"
+    strings:
+        $x1 = "RAT/Black/" ascii
+        $x2 = "RAT/Black/Client_Go/" ascii
+        $s1 = "main.RunTask" fullword ascii
+        $s2 = "main.CmdShell" fullword ascii
+        $s3 = "main.SelfDelete" fullword ascii
+        $s4 = "main.RecvPacket" fullword ascii
+        $s5 = "main.FileDownload" fullword ascii
+        $s6 = "main.CaptureScreen" fullword ascii
+        $s7 = "main.PeekNamedPipe" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and ((1 of ($x*) and 2 of ($s*)) or (6 of ($s*)))
+}