From e2a649b856f3b1a0d536759eb6a2a43a66665945 Mon Sep 17 00:00:00 2001 From: Bart P Date: Sun, 5 Nov 2023 16:29:51 +0100 Subject: [PATCH 1/2] Create BroEx.yar --- data/yara/CAPE/BroEx.yar | 51 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 data/yara/CAPE/BroEx.yar diff --git a/data/yara/CAPE/BroEx.yar b/data/yara/CAPE/BroEx.yar new file mode 100644 index 00000000..6482cf0e --- /dev/null +++ b/data/yara/CAPE/BroEx.yar @@ -0,0 +1,51 @@ +rule BroEx +{ +meta: + id = "5MNXppaMBFMS0DMQ63eCJO" + fingerprint = "8eea2d3d8d4e8ca6ef89d474232d1117e2a5a5b4c714b4c82493293f31e4f2c6" + version = "1.0" + first_imported = "2023-09-18" + last_modified = "2023-09-18" + status = "RELEASED" + sharing = "TLP:WHITE" + source = "BARTBLAZE" + author = "@bartblaze" + description = "Detects BroEx, a type of agressive adware." + category = "MALWARE" + malware = "BROEX" + malware_type = "ADWARE" + hash = "7f103012a143b9e358087cf94dbdd160362a57e5ebc65c560e352ac7541bd80e" + cape_type = "BroEx payload" + +strings: + //PDB + $pdb = "I:\\Repository2\\test\\Project21\\event\\Release\\event.pdb" ascii wide + + //Mutants + $mut1 = "Global\\A6A161D8-150E-46A1-B7EC-18E4CB58C6D2" ascii wide + $mut2 = "Global\\D80D9D78-BCDA-482C-98F2-C38991A8CA3" ascii wide + $mut3 = "Global\\8D13D07B-A758-456A-A215-0518F1268C2A" ascii wide + + //Launch + $browser1 = "main -c rbrowser chrome" ascii wide + $browser2 = "main -c rbrowser msedge" ascii wide + + //Service names + $svc1 = "WimsysUpdaterService" ascii wide + $svc2 = "WimsysService" ascii wide + $svc3 = "WimsysServiceX64" ascii wide + + /* + pvVar1 = (void *)0x0; + param_1[3] = (void *)0x7; + param_1[2] = (void *)0x0; + *(undefined2 *)param_1 = 0; + if (*(short *)param_2 != 0) { + pvVar1 = (void *)0xffffffffffffffff; + */ + $str_decode = { 4? 53 4? 83 ec 20 4? 33 c0 4? c7 41 18 07 00 00 00 4? 8b d9 4? 89 41 10 66 4? 89 01 66 4? 39 02 74 11 4? 83 c8 ff } + +condition: + uint16(0) == 0x5a4d and ($pdb or 2 of ($mut*) or all of ($browser*) + or 2 of ($svc*) or $str_decode) +} From 6d3fc465d42949715308e10107ba58563ca6e15a Mon Sep 17 00:00:00 2001 From: Bart P Date: Sun, 5 Nov 2023 16:54:25 +0100 Subject: [PATCH 2/2] Create api_uuidfromstringa.py --- modules/signatures/api_uuidfromstringa.py | 46 +++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 modules/signatures/api_uuidfromstringa.py diff --git a/modules/signatures/api_uuidfromstringa.py b/modules/signatures/api_uuidfromstringa.py new file mode 100644 index 00000000..da7e6daf --- /dev/null +++ b/modules/signatures/api_uuidfromstringa.py @@ -0,0 +1,46 @@ +# Copyright (C) 2023 bartblaze +# +# This program is free software : you can redistribute it and / or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.If not, see . + +from lib.cuckoo.common.abstracts import Signature + +class api_uuidfromstringa(Signature): + name = "api_uuidfromstringa" + description = "Potential malicious use of UuidFromStringA" + severity = 3 + categories = ["evasion"] + authors = ["bartblaze"] + minimum = "1.3" + evented = True + reference = "https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/" + + filter_apinames = set(["LdrGetProcedureAddress"]) + + def __init__(self, *args, **kwargs): + Signature.__init__(self, *args, **kwargs) + self.dll_loaded = False + self.ldr = 0 + + def on_call(self, call, process): + if call["api"] == "LdrGetProcedureAddress" and self.get_argument(call, "FunctionName") == "UuidFromStringA": + self.dll_loaded = True #RPCRT4.dll + self.ldr = 1 + if self.pid: + self.mark_call() + + def on_complete(self): + if self.ldr > 0: + return True + else: + return False