Monitor YARA integration

kevoreilly · kevoreilly · commit 9306e4e2629f · 2020-12-29T11:34:54.000Z
diff --git a/analyzer/windows/data/yara/Guloader.yar b/analyzer/windows/data/yara/Guloader.yar
@@ -0,0 +1,15 @@
+rule Guloader
+{
+    meta:
+        author = "kevoreilly"
+        description = "Guloader bypass"
+        cape_options = "bp0=$trap0,bp0=$trap1+4,action0=skip,bp1=$trap2+11,bp1=$trap3+19,action1=skip,bp2=$antihook,action2=goto:ntdll::NtAllocateVirtualMemory,count=0,"
+    strings:
+        $trap0 = {0F 85 [2] FF FF 81 BD ?? 00 00 00 [2] 00 00 0F 8F [2] FF FF 39 D2 83 FF 00}
+        $trap1 = {49 83 F9 00 75 [1-20] 83 FF 00 [2-6] 81 FF}
+        $trap2 = {39 CB 59 01 D7 49 85 C8 83 F9 00 75 B3}
+        $trap3 = {61 0F AE E8 0F 31 0F AE E8 C1 E2 20 09 C2 29 F2 83 FA 00 7E CE C3}
+        $antihook = {FF 34 08 [0-48] 8F 04 0B [0-80] 83 C1 04 83 F9 18 75 [0-128] FF E3}
+    condition:
+        any of them
+}
diff --git a/analyzer/windows/data/yara/Pafish.yar b/analyzer/windows/data/yara/Pafish.yar
@@ -0,0 +1,12 @@
+rule Pafish
+{
+    meta:
+        author = "kevoreilly"
+        description = "Pafish bypass"
+        cape_options = "bp0=$rdtsc_vmexit-2,action0=SetZeroFlag,count=1"
+    strings:
+        $rdtsc_vmexit = {8B 45 E8 80 F4 00 89 C3 8B 45 EC 80 F4 00 89 C6 89 F0 09 D8 85 C0 75 07}
+    condition:
+        uint16(0) == 0x5A4D and $rdtsc_vmexit
+}
+ 
diff --git a/analyzer/windows/data/yara/Ursnif3.yar b/analyzer/windows/data/yara/Ursnif3.yar
@@ -0,0 +1,13 @@
+rule Ursnif3
+{
+    meta:
+        author = "kevoreilly"
+        description = "Ursnif Config Extraction"
+        cape_options = "br0=$crypto32-73,instr0=cmp,dumpsize=eax,action0=dumpebx,dumptype0=0x24,count=1"
+    strings:
+        $golden_ratio = {8B 70 EC 33 70 F8 33 70 08 33 30 83 C0 04 33 F1 81 F6 B9 79 37 9E C1 C6 0B 89 70 08 41 81 F9 84 00 00 00}
+        $crypto32_1 = {8B C3 83 EB 01 85 C0 75 0D 0F B6 16 83 C6 01 89 74 24 14 8D 58 07 8B C2 C1 E8 07 83 E0 01 03 D2 85 C0 0F 84 AB 01 00 00 8B C3 83 EB 01 85 C0 89 5C 24 20 75 13 0F B6 16 83 C6 01 BB 07 00 00 00}
+        $crypto32_2 = {8B 45 EC 0F B6 38 FF 45 EC 33 C9 41 8B C7 23 C1 40 40 D1 EF 75 1B 89 4D 08 EB 45}
+    condition:
+        uint16(0) == 0x5A4D and ($golden_ratio) and (any of them)
+}
diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll
diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll
diff --git a/data/yara/CAPE/Pafish.yar b/data/yara/CAPE/Pafish.yar
@@ -4,7 +4,6 @@ rule Pafish
         author = "kevoreilly"
         description = "Paranoid Fish Sandbox Detection"
         cape_type = "Pafish Payload"
-        cape_options = "bp=$rdtsc_vmexit-2,action0=SetZeroFlag,count=1"
     strings:
         $rdtsc_vmexit = {8B 45 E8 80 F4 00 89 C3 8B 45 EC 80 F4 00 89 C6 89 F0 09 D8 85 C0 75 07}
     condition:
diff --git a/data/yara/CAPE/QakBot.yar b/data/yara/CAPE/QakBot.yar
@@ -4,7 +4,6 @@ rule QakBot
         author = "kevoreilly"
         description = "QakBot Payload"
         cape_type = "QakBot Payload"
-        cape_options = "br=$decrypt_config3-70,instr0=pop,action0=dumpesi,dumpsize=eax,dumptype0=0x38,base-on-api=GetComputerNameW,exclude-apis=FindResourceExW,count=1"
 
     strings:
         $crypto1 = {8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 C9 00 FF FF FF 41}
diff --git a/data/yara/CAPE/Ursnif3.yar b/data/yara/CAPE/Ursnif3.yar
@@ -4,7 +4,6 @@ rule Ursnif3
         author = "kevoreilly"
         description = "Ursnif Payload"
         cape_type = "Ursnif Payload"
-        cape_options = "br=$crypto32-73,instr0=cmp,dumpsize=eax,action0=dumpebx,dumptype0=0x24,base-on-api=NtOpenProcess,count=1"
     strings:
         $golden_ratio = {8B 70 EC 33 70 F8 33 70 08 33 30 83 C0 04 33 F1 81 F6 B9 79 37 9E C1 C6 0B 89 70 08 41 81 F9 84 00 00 00}
         $crypto32_1 = {8B C3 83 EB 01 85 C0 75 0D 0F B6 16 83 C6 01 89 74 24 14 8D 58 07 8B C2 C1 E8 07 83 E0 01 03 D2 85 C0 0F 84 AB 01 00 00 8B C3 83 EB 01 85 C0 89 5C 24 20 75 13 0F B6 16 83 C6 01 BB 07 00 00 00}
