From 799870d3421e8c980621eb8e5ec76087c25182ca Mon Sep 17 00:00:00 2001 From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com> Date: Mon, 2 Sep 2024 06:26:58 +0300 Subject: [PATCH 1/8] Change the logic of detection --- .../signatures/windows/infostealer_browser.py | 64 +++++++++++++------ 1 file changed, 45 insertions(+), 19 deletions(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index fbec0509..9060d293 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -36,37 +36,65 @@ class BrowserStealer(Signature): mbcs = ["OB0005"] mbcs += ["OC0001", "C0051"] # micro-behaviour - filter_apinames = set(["NtReadFile", "CopyFileA", "CopyFileW", "CopyFileExW"]) + filter_apinames = set(["NtReadFile", "CopyFileA", "CopyFileW", "CopyFileExW", "NtQueryAttributesFile"]) def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.filematches = set() self.saw_stealer = False self.indicators = [ + # Firefox re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\.sqlite$", re.I), + re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\cookies\.sqlite$", re.I), re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\secmod\.db$", re.I), re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\cert8\.db$", re.I), re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\key3\.db$", re.I), - re.compile(".*\\\\History\\\\History\.IE5\\\\index\.dat$", re.I), + re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\places\.sqlite$", re.I), + re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\logins\.json$", re.I), + re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\formhistory\.sqlite$", re.I), + + # Internet Explorer/Edge + re.compile(".*\\\\History\\\\History.IE5\\\\index\.dat$", re.I), re.compile(".*\\\\Cookies\\\\.*", re.I), - re.compile(".*\\\\Temporary\\ Internet\\ Files\\\\Content\.IE5\\\\index\.dat$", re.I), - re.compile(".*\\\\Application\\ Data\\\\Google\\\\Chrome\\\\.*", re.I), + re.compile(".*\\\\Temporary Internet Files\\\\Content.IE5\\\\index\.dat$", re.I), + re.compile(".*\\\\Microsoft\\\\Edge\\\\User\\ Data\\\\Default\\\\.*", re.I), + + # Google Chrome + re.compile(".*\\\\Application Data\\\\Google\\\\Chrome\\\\.*", re.I), re.compile(".*\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Mozilla\\\\Firefox\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Opera\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Roaming\\\\Opera\\\\Opera\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Chromium\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), + + # Chromium-based Browsers + re.compile(".*\\\\Application Data\\\\Chromium\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Chromium\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\ChromePlus\\\\.*", re.I), + re.compile(".*\\\\Application Data\\\\ChromePlus\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\MapleStudio\\\\ChromePlus\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Nichrome\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Bromium\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\RockMelt\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Flock\\\\.*", re.I), + re.compile(".*\\\\Application Data\\\\Nichrome\\\\.*", re.I), + re.compile(".*\\\\Application Data\\\\Bromium\\\\.*", re.I), + re.compile(".*\\\\Application Data\\\\RockMelt\\\\.*", re.I), + re.compile(".*\\\\Application Data\\\\Flock\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Flock\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Comodo\\\\Dragon\\\\.*", re.I), + re.compile(".*\\\\Application Data\\\\Comodo\\\\Dragon\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Comodo\\\\Dragon\\\\.*", re.I), + re.compile(".*\\\\BraveSoftware\\\\Brave-Browser\\\\User\\ Data\\\\Default\\\\.*", re.I), + + # Opera + re.compile(".*\\\\Application Data\\\\Opera\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Roaming\\\\Opera\\\\Opera\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Roaming\\\\Opera Software\\\\Opera Stable\\\\.*", re.I), + + # Safari + re.compile(".*\\\\Apple Computer\\\\Safari\\\\WebpageIcons\.db$", re.I), + re.compile(".*\\\\Apple Computer\\\\Safari\\\\History\.db$", re.I), + re.compile(".*\\\\Apple Computer\\\\Safari\\\\LastSession\.plist$", re.I), + + # Others + re.compile(".*\\\\AppData\\\\Local\\\\Spark\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Local\\\\Nichrome\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Local\\\\Titan Browser\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Local\\\\Rockmelt\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Local\\\\Torch\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(".*\\\\AppData\\\\Local\\\\.*\\\\YandexBrowser\\\\User\\ Data\\\\Default\\\\.*", re.I), ] def on_call(self, call, process): @@ -77,10 +105,8 @@ def on_call(self, call, process): return None filename = None - if call["api"] == "NtReadFile": - filename = self.get_argument(call, "HandleName") - else: - filename = self.get_argument(call, "ExistingFileName") + if call["api"] == "NtQueryAttributesFile": + filename = self.get_argument(call, "FileName") if not filename: return None From fc149780da7e8a7695fbbb83fd1aaba7ed4f8b35 Mon Sep 17 00:00:00 2001 From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com> Date: Mon, 2 Sep 2024 06:45:26 +0300 Subject: [PATCH 2/8] Update infostealer_browser.py --- modules/signatures/windows/infostealer_browser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 9060d293..81b1263a 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -36,7 +36,7 @@ class BrowserStealer(Signature): mbcs = ["OB0005"] mbcs += ["OC0001", "C0051"] # micro-behaviour - filter_apinames = set(["NtReadFile", "CopyFileA", "CopyFileW", "CopyFileExW", "NtQueryAttributesFile"]) + filter_apinames = set(["NtQueryAttributesFile", "CopyFileA", "CopyFileW", "CopyFileExW"]) def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) From f43a7b0bdc5cc2706fa16bc138a80f78daf09d37 Mon Sep 17 00:00:00 2001 From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com> Date: Mon, 2 Sep 2024 08:20:53 +0300 Subject: [PATCH 3/8] Update infostealer_browser.py --- modules/signatures/windows/infostealer_browser.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 81b1263a..dda0623f 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -40,6 +40,8 @@ class BrowserStealer(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) + self.MALICIOUS_ARTIFACTS_THRESHOLD = 3 + self.artifacts_counter = 0 self.filematches = set() self.saw_stealer = False self.indicators = [ @@ -98,6 +100,8 @@ def __init__(self, *args, **kwargs): ] def on_call(self, call, process): + + # If the current process appears to be a browser, continue. # TODO: implement better checks here -- the malware can be named whatever it wants or can # inject into browser processes @@ -116,8 +120,11 @@ def on_call(self, call, process): if self.pid: self.mark_call() self.saw_stealer = True + self.artifacts_counter += 1 def on_complete(self): - for file in self.filematches: - self.data.append({"file": file}) - return self.saw_stealer + if self.artifacts_counter >= self.MALICIOUS_ARTIFACTS_THRESHOLD: + for file in self.filematches: + self.data.append({"file": file}) + return self.saw_stealer + return False From 85b7f5923e808903fd75df72a683a9099742a525 Mon Sep 17 00:00:00 2001 From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com> Date: Mon, 2 Sep 2024 17:43:41 +0300 Subject: [PATCH 4/8] Update infostealer_browser.py --- .../signatures/windows/infostealer_browser.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index dda0623f..75af8605 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -62,26 +62,26 @@ def __init__(self, *args, **kwargs): re.compile(".*\\\\Microsoft\\\\Edge\\\\User\\ Data\\\\Default\\\\.*", re.I), # Google Chrome - re.compile(".*\\\\Application Data\\\\Google\\\\Chrome\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Google\\\\Chrome\\\\.*", re.I), re.compile(".*\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), # Chromium-based Browsers - re.compile(".*\\\\Application Data\\\\Chromium\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Chromium\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Chromium\\\\.*", re.I), - re.compile(".*\\\\Application Data\\\\ChromePlus\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\ChromePlus\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\MapleStudio\\\\ChromePlus\\\\.*", re.I), - re.compile(".*\\\\Application Data\\\\Nichrome\\\\.*", re.I), - re.compile(".*\\\\Application Data\\\\Bromium\\\\.*", re.I), - re.compile(".*\\\\Application Data\\\\RockMelt\\\\.*", re.I), - re.compile(".*\\\\Application Data\\\\Flock\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Nichrome\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Bromium\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\RockMelt\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Flock\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Flock\\\\.*", re.I), - re.compile(".*\\\\Application Data\\\\Comodo\\\\Dragon\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Comodo\\\\Dragon\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Local\\\\Comodo\\\\Dragon\\\\.*", re.I), re.compile(".*\\\\BraveSoftware\\\\Brave-Browser\\\\User\\ Data\\\\Default\\\\.*", re.I), # Opera - re.compile(".*\\\\Application Data\\\\Opera\\\\.*", re.I), + re.compile(".*\\\\Application\\ Data Data\\\\Opera\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Roaming\\\\Opera\\\\Opera\\\\.*", re.I), re.compile(".*\\\\AppData\\\\Roaming\\\\Opera Software\\\\Opera Stable\\\\.*", re.I), From d16acf15fba9146181bf694ebcaa022ed6b2d214 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 18:43:56 +0200 Subject: [PATCH 5/8] Update infostealer_browser.py --- .../signatures/windows/infostealer_browser.py | 80 +++++++++---------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 75af8605..2698782c 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -46,61 +46,61 @@ def __init__(self, *args, **kwargs): self.saw_stealer = False self.indicators = [ # Firefox - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\.sqlite$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\cookies\.sqlite$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\secmod\.db$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\cert8\.db$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\key3\.db$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\places\.sqlite$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\logins\.json$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\formhistory\.sqlite$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\signons\.sqlite$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\cookies\.sqlite$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\secmod\.db$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\cert8\.db$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\key3\.db$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\places\.sqlite$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\logins\.json$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\formhistory\.sqlite$", re.I), # Internet Explorer/Edge - re.compile(".*\\\\History\\\\History.IE5\\\\index\.dat$", re.I), - re.compile(".*\\\\Cookies\\\\.*", re.I), - re.compile(".*\\\\Temporary Internet Files\\\\Content.IE5\\\\index\.dat$", re.I), - re.compile(".*\\\\Microsoft\\\\Edge\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(r".*\\History\\History.IE5\\index\.dat$", re.I), + re.compile(r".*\\Cookies\\.*", re.I), + re.compile(r".*\\Temporary Internet Files\\Content.IE5\\index\.dat$", re.I), + re.compile(r".*\\Microsoft\\Edge\\User\\ Data\\Default\\.*", re.I), # Google Chrome - re.compile(".*\\\\Application\\ Data Data\\\\Google\\\\Chrome\\\\.*", re.I), - re.compile(".*\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Google\\Chrome\\.*", re.I), + re.compile(r".*\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), # Chromium-based Browsers - re.compile(".*\\\\Application\\ Data Data\\\\Chromium\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Chromium\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data Data\\\\ChromePlus\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\MapleStudio\\\\ChromePlus\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data Data\\\\Nichrome\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data Data\\\\Bromium\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data Data\\\\RockMelt\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data Data\\\\Flock\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Flock\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data Data\\\\Comodo\\\\Dragon\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Comodo\\\\Dragon\\\\.*", re.I), - re.compile(".*\\\\BraveSoftware\\\\Brave-Browser\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Chromium\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Chromium\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\ChromePlus\\.*", re.I), + re.compile(r".*\\AppData\\Local\\MapleStudio\\ChromePlus\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Nichrome\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Bromium\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\RockMelt\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Flock\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Flock\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Comodo\\Dragon\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Comodo\\Dragon\\.*", re.I), + re.compile(r".*\\BraveSoftware\\Brave-Browser\\User\\ Data\\Default\\.*", re.I), # Opera - re.compile(".*\\\\Application\\ Data Data\\\\Opera\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Roaming\\\\Opera\\\\Opera\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Roaming\\\\Opera Software\\\\Opera Stable\\\\.*", re.I), + re.compile(r".*\\Application\\ Data Data\\Opera\\.*", re.I), + re.compile(r".*\\AppData\\Roaming\\Opera\\Opera\\.*", re.I), + re.compile(r".*\\AppData\\Roaming\\Opera Software\\Opera Stable\\.*", re.I), # Safari - re.compile(".*\\\\Apple Computer\\\\Safari\\\\WebpageIcons\.db$", re.I), - re.compile(".*\\\\Apple Computer\\\\Safari\\\\History\.db$", re.I), - re.compile(".*\\\\Apple Computer\\\\Safari\\\\LastSession\.plist$", re.I), + re.compile(r".*\\Apple Computer\\Safari\\WebpageIcons\.db$", re.I), + re.compile(r".*\\Apple Computer\\Safari\\History\.db$", re.I), + re.compile(r".*\\Apple Computer\\Safari\\LastSession\.plist$", re.I), # Others - re.compile(".*\\\\AppData\\\\Local\\\\Spark\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Nichrome\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Titan Browser\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Rockmelt\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Torch\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\.*\\\\YandexBrowser\\\\User\\ Data\\\\Default\\\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Spark\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Nichrome\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Titan Browser\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Rockmelt\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Torch\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\.*\\YandexBrowser\\User\\ Data\\Default\\.*", re.I), ] def on_call(self, call, process): - + # If the current process appears to be a browser, continue. # TODO: implement better checks here -- the malware can be named whatever it wants or can From 131d9844a842710de282caff15641fbc5193bdf6 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 18:46:31 +0200 Subject: [PATCH 6/8] Update infostealer_browser.py --- .../signatures/windows/infostealer_browser.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 2698782c..ee99023d 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -62,26 +62,26 @@ def __init__(self, *args, **kwargs): re.compile(r".*\\Microsoft\\Edge\\User\\ Data\\Default\\.*", re.I), # Google Chrome - re.compile(r".*\\Application\\ Data Data\\Google\\Chrome\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Google\\Chrome\\.*", re.I), re.compile(r".*\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), re.compile(r".*\\AppData\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), # Chromium-based Browsers - re.compile(r".*\\Application\\ Data Data\\Chromium\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Chromium\\.*", re.I), re.compile(r".*\\AppData\\Local\\Chromium\\.*", re.I), - re.compile(r".*\\Application\\ Data Data\\ChromePlus\\.*", re.I), + re.compile(r".*\\Application\\ Data\\ChromePlus\\.*", re.I), re.compile(r".*\\AppData\\Local\\MapleStudio\\ChromePlus\\.*", re.I), - re.compile(r".*\\Application\\ Data Data\\Nichrome\\.*", re.I), - re.compile(r".*\\Application\\ Data Data\\Bromium\\.*", re.I), - re.compile(r".*\\Application\\ Data Data\\RockMelt\\.*", re.I), - re.compile(r".*\\Application\\ Data Data\\Flock\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Nichrome\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Bromium\\.*", re.I), + re.compile(r".*\\Application\\ Data\\RockMelt\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Flock\\.*", re.I), re.compile(r".*\\AppData\\Local\\Flock\\.*", re.I), - re.compile(r".*\\Application\\ Data Data\\Comodo\\Dragon\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Comodo\\Dragon\\.*", re.I), re.compile(r".*\\AppData\\Local\\Comodo\\Dragon\\.*", re.I), re.compile(r".*\\BraveSoftware\\Brave-Browser\\User\\ Data\\Default\\.*", re.I), # Opera - re.compile(r".*\\Application\\ Data Data\\Opera\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Opera\\.*", re.I), re.compile(r".*\\AppData\\Roaming\\Opera\\Opera\\.*", re.I), re.compile(r".*\\AppData\\Roaming\\Opera Software\\Opera Stable\\.*", re.I), From 63bb1e17b5c21bfd67302a558623cb96d5692c46 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 18:49:54 +0200 Subject: [PATCH 7/8] Update infostealer_browser.py --- modules/signatures/windows/infostealer_browser.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index ee99023d..3dfa8a63 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -109,8 +109,12 @@ def on_call(self, call, process): return None filename = None - if call["api"] == "NtQueryAttributesFile": + if call["api"] == "NtReadFile": + filename = self.get_argument(call, "HandleName") + elif call["api"] == "NtQueryAttributesFile": filename = self.get_argument(call, "FileName") + else: + filename = self.get_argument(call, "ExistingFileName") if not filename: return None From c26cfd6d6db67c46fe968b908b8ff4f400d1cee0 Mon Sep 17 00:00:00 2001 From: Mohannad Raafat <62453654+para0x0dise@users.noreply.github.com> Date: Sat, 28 Sep 2024 20:31:12 +0300 Subject: [PATCH 8/8] Update infostealer_browser.py --- .../signatures/windows/infostealer_browser.py | 45 ++++++++++--------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 3dfa8a63..5ba9bdd3 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -59,29 +59,32 @@ def __init__(self, *args, **kwargs): re.compile(r".*\\History\\History.IE5\\index\.dat$", re.I), re.compile(r".*\\Cookies\\.*", re.I), re.compile(r".*\\Temporary Internet Files\\Content.IE5\\index\.dat$", re.I), - re.compile(r".*\\Microsoft\\Edge\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\Microsoft\\Edge\\User Data\\Default\\.*", re.I), # Google Chrome - re.compile(r".*\\Application\\ Data\\Google\\Chrome\\.*", re.I), - re.compile(r".*\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), - re.compile(r".*\\AppData\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Google\\Chrome\\.*", re.I), + re.compile(r".*\\Local\\Google\\Chrome\\User Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\.*", re.I), # Chromium-based Browsers - re.compile(r".*\\Application\\ Data\\Chromium\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Chromium\\.*", re.I), re.compile(r".*\\AppData\\Local\\Chromium\\.*", re.I), - re.compile(r".*\\Application\\ Data\\ChromePlus\\.*", re.I), + re.compile(r".*\\Application\\User Data\\ChromePlus\\.*", re.I), re.compile(r".*\\AppData\\Local\\MapleStudio\\ChromePlus\\.*", re.I), - re.compile(r".*\\Application\\ Data\\Nichrome\\.*", re.I), - re.compile(r".*\\Application\\ Data\\Bromium\\.*", re.I), - re.compile(r".*\\Application\\ Data\\RockMelt\\.*", re.I), - re.compile(r".*\\Application\\ Data\\Flock\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Nichrome\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Nichrome\\User Data\\Default\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Bromium\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Bromium\\User Data\\Default\\.*", re.I), + re.compile(r".*\\Application\\User Data\\RockMelt\\.*", re.I), + re.compile(r".*\\AppData\\Local\\RockMelt\\User Data\\Default\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Flock\\.*", re.I), re.compile(r".*\\AppData\\Local\\Flock\\.*", re.I), - re.compile(r".*\\Application\\ Data\\Comodo\\Dragon\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Comodo\\Dragon\\.*", re.I), re.compile(r".*\\AppData\\Local\\Comodo\\Dragon\\.*", re.I), - re.compile(r".*\\BraveSoftware\\Brave-Browser\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\BraveSoftware\\Brave-Browser\\User Data\\Default\\.*", re.I), # Opera - re.compile(r".*\\Application\\ Data\\Opera\\.*", re.I), + re.compile(r".*\\Application\\User Data\\Opera\\.*", re.I), re.compile(r".*\\AppData\\Roaming\\Opera\\Opera\\.*", re.I), re.compile(r".*\\AppData\\Roaming\\Opera Software\\Opera Stable\\.*", re.I), @@ -91,17 +94,15 @@ def __init__(self, *args, **kwargs): re.compile(r".*\\Apple Computer\\Safari\\LastSession\.plist$", re.I), # Others - re.compile(r".*\\AppData\\Local\\Spark\\User\\ Data\\Default\\.*", re.I), - re.compile(r".*\\AppData\\Local\\Nichrome\\User\\ Data\\Default\\.*", re.I), - re.compile(r".*\\AppData\\Local\\Titan Browser\\User\\ Data\\Default\\.*", re.I), - re.compile(r".*\\AppData\\Local\\Rockmelt\\User\\ Data\\Default\\.*", re.I), - re.compile(r".*\\AppData\\Local\\Torch\\User\\ Data\\Default\\.*", re.I), - re.compile(r".*\\AppData\\Local\\.*\\YandexBrowser\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Spark\\User Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Nichrome\\User Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Titan Browser\\User Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Rockmelt\\User Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Torch\\User Data\\Default\\.*", re.I), + re.compile(r".*\\AppData\\Local\\.*\\YandexBrowser\\User Data\\Default\\.*", re.I), ] def on_call(self, call, process): - - # If the current process appears to be a browser, continue. # TODO: implement better checks here -- the malware can be named whatever it wants or can # inject into browser processes @@ -131,4 +132,4 @@ def on_complete(self): for file in self.filematches: self.data.append({"file": file}) return self.saw_stealer - return False + return False \ No newline at end of file