Add detection against NPPSpy and AgentRacoon

data/yara/CAPE/AgentRacoon.yar

@@ -0,0 +1,18 @@
+rule AgentRacoon {
+    meta:
+        author = "ditekShen"
+        description = "Detects AgentRacoon"
+        cape_type = "AgentRacoon Payload"
+    strings:
+        $s1 = "UdpClient" fullword ascii
+        $s2 = "IPEndPoint" fullword ascii
+        $s3 = "get_Client" fullword ascii
+        $s4 = "set_ReceiveTimeout" fullword ascii
+        $s5 = "Command failed:" wide
+        $s6 = "uploaded" wide
+        $s7 = "downloaded" wide
+        $s8 = ".telemetry." wide
+        $s9 = "xn--" wide
+    condition:
+      uint16(0) == 0x5a4d and 4 of them
+}

data/yara/CAPE/NPPSpy.yar

@@ -0,0 +1,24 @@
+import "pe"
+
+rule NPPSpy {
+    meta:
+        author = "ditekShen"
+        description = "Detects NPPSpy / Ntospy"
+        cape_type = "NPPSpy Payload"
+    strings:
+        $s1 = "ntskrnl.dll" fullword ascii
+        $s2 = "PasswordStealing.dll" fullword ascii
+        $s3 = "ntoskrnl.dll" fullword ascii
+        $s4 = "\\programdata\\packag~" ascii
+        $s5 = "NPPSPY.dll" fullword ascii
+        $s6 = "MSControll.dll" fullword ascii
+        $s7 = "\\Windows\\Temp\\" ascii
+        $s8 = "\\NPPSpy\\" ascii
+        // hunt
+        $s9 = "NPGetCaps" fullword ascii
+        $s10 = "NPLogonNotify" fullword ascii
+        // C:\Users\GrzegorzTworek\source\repos\NPPSpy\x64\Release\NPPSPY.pdb
+        $path = "\\GrzegorzTworek\\" ascii
+    condition:
+      uint16(0) == 0x5a4d and ((pe.is_dll() and filesize < 110KB and pe.number_of_exports == 2 and ((pe.exports("NPGetCaps") and pe.exports("NPLogonNotify")) or (1 of ($s*) and (pe.exports("NPGetCaps") or pe.exports("NPLogonNotify"))))) or (($path) and any of ($s*)))
+}