import "pe"

rule brc4_core {
    meta:
        version = "first version"
        author = "@ninjaparanoid"
        reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara"
        date = "2022-11-19"
        description = "Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state"
        id = "3a702d21-392f-5b7d-90a7-eb053d259b32"
    strings:
        $coreStrings1 = "CLOSED"
        $coreStrings2 = "LISTENING"
        $coreStrings3 = "SYN_SENT"
        $coreStrings4 = "SYN_RCVD"
        $coreStrings5 = "ESTABLISHED"
        $coreStrings6 = "FIN_WAIT1"
        $coreStrings7 = "FIN_WAIT2"
        $coreStrings8 = "CLOSE_WAIT"
        $coreStrings9 = "CLOSING"
        $coreStrings10 = "LAST_ACK"
        $coreStrings11 = "TIME_WAIT"
        $coreStrings12 = "DELETE_TCB"
        $coreStrings13 = "v4.0.30319"
        $coreStrings14 = "bYXJm/3#M?:XyMBF"
        $coreStrings15 = "ServicesActive"
        $coreStrings16 = "coffee"
        $coreStrings17 = "Until Admin Unlock"
        $coreStrings18 = "alertable"
        $coreStrings19 = "%02d%02d%d_%02d%02d%2d%02d_%s"
        $coreStrings20 = "<Left-Mouse>;"
        $coreStrings21 = "<Right-Mouse>;"
        $coreStrings22 = "<Cancel>;"
        $coreStrings23 = "<Middle-Mouse>;"
        $coreStrings24 = "<X1-Mouse>;"
        $coreStrings25 = "<X2-Mouse>;"
        $coreStrings26 = "<BackSpace>;"
        $coreStrings27 = "<Enter>;"
        $coreStrings28 = "<Shift>;"
        $coreStrings29 = "<CTRL>;"
        $coreStrings30 = "<ALT>;"
        $coreStrings31 = "<Pause>;"
        $coreStrings32 = "<Caps-Lock>;"
        $coreStrings33 = "<ESC>;"
        $coreStrings34 = "<Page-Up>;"
        $coreStrings35 = "<Page-Down>;"
        $coreStrings36 = "<End>;"
        $coreStrings37 = "<Home-Key>;"
        $coreStrings38 = "<Left-Arrow>;"
        $coreStrings39 = "<Up-Arrow>;"
        $coreStrings40 = "<Right-Arrow>;"
        $coreStrings41 = "<Down-Arrow>;"
        $coreStrings42 = "<Select>;"
        $coreStrings43 = "<Print-Key>;"
        $coreStrings44 = "<Print-Screen>;"
        $coreStrings45 = "<INS>;"
        $coreStrings46 = "<Delete>;"
        $coreStrings47 = "<Help>;"
        $coreStrings48 = "<Left-Windows-Key>;"
        $coreStrings49 = "<Right-Windows-Key>;"
        $coreStrings50 = "<Computer-Sleep>;"
        $coreStrings51 = "<F1>;"
        $coreStrings52 = "<F2>;"
        $coreStrings53 = "<F3>;"
        $coreStrings54 = "<F4>;"
        $coreStrings55 = "<F5>;"
        $coreStrings56 = "<F6>;"
        $coreStrings57 = "<F7>;"
        $coreStrings58 = "<F8>;"
        $coreStrings59 = "<F9>;"
        $coreStrings60 = "<F10>;"
        $coreStrings61 = "<F11>;"
        $coreStrings62 = "<F12>;"
        $coreStrings63 = "<F13>;"
        $coreStrings64 = "<F14>;"
        $coreStrings65 = "<F15>;"
        $coreStrings66 = "<F16>;"
        $coreStrings67 = "<F17>;"
        $coreStrings68 = "<F18>;"
        $coreStrings69 = "<F19>;"
        $coreStrings70 = "<F20>;"
        $coreStrings71 = "<F21>;"
        $coreStrings72 = "<F22>;"
        $coreStrings73 = "<F23>;"
        $coreStrings74 = "<F24>;"
        $coreStrings75 = "<Num-Lock>;"
        $coreStrings76 = "<Scroll-Lock>;"
        $coreStrings77 = "<Control>;"
        $coreStrings78 = "<Menu>;"
        $coreStrings79 = "<Volume Mute>;"
        $coreStrings80 = "<Volume Down>;"
        $coreStrings81 = "<Volume Up>;"
        $coreStrings82 = "<New Track>;"
        $coreStrings83 = "<Previous Track>;"
        $coreStrings84 = "<Play/Pause>;"
        $coreStrings85 = "<Play>;"
        $coreStrings86 = "<Zoom>;"
        $coreStrings87 = "%02X-%02X-%02X-%02X-%02X-%02X"
        $coreStrings88 = "%02d%02d%d_%02d%02d%2d%02d.png"
        $coreStrings89 = "%02d-%02d-%d %02d:%02d:%2d"
        $coreStrings90 = "%ls%s%ls%s%ls%s%ls%lu%ls%s%s"
        $coreStrings91 = "%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%d%ls%lu%ls"
        $coreStrings92 = "bhttp_x64.dll"
        $coreStrings93 = "  - %-45ls : %d"
        $coreStrings94 = "  - %-45ls : %ls"
        $coreStrings95 = "  - %-45ls : %llu"
        $coreStrings96 = "  - %-45ls : %u"
        $coreStrings97 = "  - %-45ls : %f"
        $coreStrings98 = "  - %-45ls : %S"
        $coreStrings99 = "  - Path: %ls"
        $coreStrings100 = "  - Enabled: %ls"
        $coreStrings101 = "  - Last Run: %ls"
        $coreStrings102 = "  - Next Run: %ls"
        $coreStrings103 = "  - Current State: %ls"
        $coreStrings104 = "  - XML Output:"
        $coreStrings105 = "  - Error fetching xml"
        $coreStrings106 = "[+] Name: %ls"
        $coreStrings107 = "[+] Task: %ld"
        $coreStrings108 = "  - Name: %ls"
        $coreStrings109 = "BYTE data[] = {"
        $coreStrings110 = "[+] %s Password History:"
        $coreStrings111 = "[+] Object RDN: "
        $coreStrings112 = "[+] SAM Username: "
        $coreStrings113 = "[+] User Principal Name: "
        $coreStrings114 = "[+] UAC: %08x ["
        $coreStrings115 = "[+] Password last change: "
        $coreStrings116 = "[+] SID history:"
        $coreStrings117 = "[+] Object SID: "
        $coreStrings118 = "[+] Object RID: %u"
        $coreStrings119 = "[-] E: 0x%08x (%u) - %s"
        $coreStrings120 = "[-] E: no item!"
        $coreStrings121 = "[-] E: bad version (%u)"
        $coreStrings122 = "[-] E: 0x%08x (%u)"
        $coreStrings123 = "[-] E: (%08x)"
        $coreStrings124 = "[-] E: DRS Extension Size (%u)"
        $coreStrings125 = "[-] E: No DRS Extension"
        $coreStrings126 = "[-] E: DRSBind (%u)"
        $coreStrings127 = "[-] E: DC '%s' not found"
        $coreStrings128 = "[-] E: Version (%u)"
        $coreStrings129 = "[-] E: 0x%08x"
        $coreStrings130 = "[-] E: DC not found"
        $coreStrings131 = "[-] E: Binding DC!"
        $coreStrings132 = "[-] E: %u"
        $coreStrings133 = "[-] E: Domain not found"
        $coreStrings134 = "[+] Syncing DC: %ls"
        $coreStrings135 = "========================================|"
        $coreStrings136 = "[-] E: NCChangesReply"
        $coreStrings137 = "[-] E: GetNCChanges (%u)"
        $coreStrings138 = "[-] E: GetNCChanges: 0x%08x"
        $coreStrings139 = "[-] E: ASN1"
        $coreStrings140 = "[dsyn]"
        $coreStrings141 = "[+] size         : %lu"
        $coreStrings142 = "[+] malloc (RX)  : 0x%p"
        $coreStrings143 = "[+] malloc (RW)  : 0x%p"
        $coreStrings144 = "[+] size        : %lu"
        $coreStrings145 = "[+] mapview (RX): 0x%p"
        $coreStrings146 = "[+] mapview (RW): 0x%p"
        $coreStrings147 = "[-] Invalid thread"
        $coreStrings148 = "[+] Thread start : 0x%p"
        $coreStrings149 = "[+] Thread Id    : %lu"
        $coreStrings150 = "  - expires at: %02d-%02d-%02d %02d:%02d:%02d"
        $coreStrings151 = "%-30ls%-30ls%ls"
        $coreStrings152 = "%-30S*%-29ls%04d hours"
        $coreStrings153 = "%-30S%-30ls%04d hours"
        $coreStrings154 = "[+] User is privileged"
        $coreStrings155 = "[+] Members of [%ls] in %ls"
        $coreStrings156 = "[+] Members of [%ls]"
        $coreStrings157 = "p[+] Alertable thread: %lu"
        $coreStrings158 = "[-] E: No Alertable threads"
        $coreStrings159 = "[!] QAPC not supported on existing process"
        $coreStrings160 = "[+] PID (%S) => %lu"
        $coreStrings161 = "[+] PPID => %lu"
        $coreStrings162 = "[+] PID (%S) => %lu"
        $coreStrings163 = "[+] Args => (%S)"
        $coreStrings164 = "[+] PPID => %lu"
        $coreStrings165 = "[+] %S => PID: %lu"
        $coreStrings166 = "[+] %S => PID (Suspended): %lu:%lu"
        $coreStrings167 = "[+] SYS key: "
        $coreStrings168 = "[+] SAM key: "
        $coreStrings169 = "v2.0.50727"
        $coreStrings170 = "v4.0.30319"
        $coreStrings171 = "[+] Dotnet: v"
        $coreStrings172 = "[+] Socks started"
        $coreStrings173 = "[-] Socks stopped and Profile cleared"
        $coreStrings174 = "[+] Stasis: %d:%d"
        $coreStrings175 = "<DIR>?%ls?%02d-%02d-%d %02d:%02d"
        $coreStrings176 = "<DIR>?%ls"
        $coreStrings177 = "<FILE>?%ls?%02d-%02d-%d %02d:%02d?%lld bytes"
        $coreStrings178 = "<FILE>?%ls"
        $coreStrings179 = "[+] listing %ls"
        $coreStrings180 = "%02d-%02d-%d %02d:%02d <DIR>  %ls"
        $coreStrings181 = "%02d-%02d-%d %02d:%02d <FILE> %ls %lld bytes"
        $coreStrings182 = "[+] PID: %d"
        $coreStrings183 = "[+] Impersonated: '%S\\%S'"
        $coreStrings184 = "[+] Killed: %lu"
        $coreStrings185 = "%ls%-8ls | %-8ls | %-6ls | %-30ls 	| %ls"
        $coreStrings186 = "[pstree] %S"
        $coreStrings187 = "6%d?%d?%S?%ls?%ls"
        $coreStrings188 = "%-8d | %-8d | %-6S | %-30ls 	| %ls"
        $coreStrings189 = "%d?%d?N/A?N/A?%ls"
        $coreStrings190 = "%-8d | %-8d | %-6ls | %-30ls 	| %ls"
        $coreStrings191 = "[-] Child Process???"
        $coreStrings192 = "[+] PID: %lu"
        $coreStrings193 = "[+] Impersonated '%ls'"
        $coreStrings194 = "[-] Duplicate listener: %S"
        $coreStrings195 = "[+] TCP listener: %S"
        $coreStrings196 = "[TCP] [%S]-<>-[%S]"
        $coreStrings197 = "[+] Added to Token Vault: %ls"
        $coreStrings198 = "[-] E: Invalid Arch: 0x%X"
        $coreStrings199 = "[+] Searching [0x%02X] permission"
        $coreStrings200 = "[-] SPN not found: %ls"
        $coreStrings201 = "[-] Invalid SPN: %S"
        $coreStrings202 = "[+] SPN: %ls"
        $coreStrings203 = "[+] Start Address: (%p)"
        $coreStrings204 = "[!] Invalid Address"
        $coreStrings205 = "[!] Invalid PID: %S"
        $coreStrings206 = "[+] PID: %lu"
        $coreStrings207 = "[+] TID: %lu"
        $coreStrings208 = "[+] T-Handle: 0x%X"
        $coreStrings209 = "[+] Suspend count: %lu"
        $coreStrings210 = "[+] %-24ls%-24ls%-24ls"
        $coreStrings211 = "%-66ls%-46ls%ls"
        $coreStrings212 = "    ============================================================= ============================================= =================================================="
        $coreStrings213 = "[+] Elevated Privilege"
        $coreStrings214 = "[-] Restricted Privilege"
        $coreStrings215 = "[+] Task-%d => %S (%S %%)"
        $coreStrings216 = "[Tasks] %02d => 0x%02X 0x%02X"
        $coreStrings217 = "[*] No active tasks"
        $coreStrings218 = "[-] Child: NA"
        $coreStrings219 = "[+] Child: %S"
        $coreStrings220 = "[TCP] Task-%d => %S"
        $coreStrings221 = "[+] Malloc: %lu"
        $coreStrings222 = "[+] ThreadEx: %lu"
        $coreStrings223 = "[+] %-30ls: %S"
        $coreStrings224 = "[+] %-30ls: %S"
        $coreStrings225 = "[+] %-30ls: "
        $coreStrings226 = "[+] %-30ls: %ls"
        $coreStrings227 = "  - %-6S %-22S %-22S %S"
        $coreStrings228 = "  - %-6S %-22S %-22S"
        $coreStrings229 = "  - 0x%lu [%02X-%02X-%02X-%02X-%02X-%02X] %S"
        $coreStrings230 = "  %-21S%-17S%-17S%-11S%-10S"
        $coreStrings231 = "  - %-19S%-17S%-17S%-11ld%-9ld"
        $coreStrings232 = "  - %-30ls: %I64dMB/%I64dMB"
        $coreStrings233 = "  - %-30ls: %lu MB"
        $coreStrings234 = "[+] CM: Already Running"
        $coreStrings235 = "[+] CM: Running"
        $coreStrings236 = "[+] CM: Started"
        $coreStrings237 = "[*] Task-%02d [Thread: %lu]"
        $coreStrings238 = "+-------------------------------------------------------------------+"
        $coreStrings239 = "[+] Session ID %lu => %ls: %ls\\%ls"
        $coreStrings240 = "[+] Enumerating PID: %lu [%ls]"
        $coreStrings241 = "[+] Captured Handle (PID: %lu)"
        $coreStrings242 = "[+] Initiated NTFS transaction"
        $coreStrings243 = "\\??\\C:\\Users\\Public\\cache.txt"
        $coreStrings244 = "[+] Dump Size: %d Mb"
        $coreStrings245 = "bhttp_x64.dll"
        $coreStrings246 = "bYXJm/3#M?:XyMBF"
        $coreStrings247 = "SeDebugPrivilege"
    condition:
        20 of them
}

rule brc4_shellcode {
    meta:
        version = "last version"
        author = "@ninjaparanoid"
        description = "Hunts for shellcode opcode used in Badger x86/x64 till release v1.2.9"
        arch_context = "x64"
        reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara"
        date = "2022-11-19"
        id = "7e899d2f-332b-53f7-b9e6-cfde2bce6223"
    strings:
        $shellcode_x64_Start = { 55 50 53 51 52 56 57 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 }
        $shellcode_x64_End = { 5B 5E 5F 41 5C 41 5D 41 5E 41 5F 5D C3 }
        $shellcode_x64_StageEnd = { 5C 41 5F 41 5E 41 5D 41 5C 41 5B 41 5A 41 59 41 58 5F 5E 5A 59 5B 58 5D C3 }
        $funcHash1 = { 5B BC 4A 6A }
        $funcHash2 = { 5D 68 FA 3C }
        $funcHash3 = { AA FC 0D 7C }
        $funcHash4 = { 8E 4E 0E EC }
        $funcHash5 = { B8 12 DA 00 }
        $funcHash6 = { 07 C4 4C E5 }
        $funcHash7 = { BD CA 3B D3 }
        $funcHash8 = { 89 4D 39 8C }
        $hashFuncx64 = { EB 20 0F 1F 44 00 00 44 0F B6 C8 4C 89 DA 41 83 E9 20 4D 63 C1 4B 8D 04 10 49 39 CB 74 21 49 83 C3 01 41 89 C2 }
        $hashFuncx86 = { EB 07 8D 74 26 00 83 C2 01 0F B6 31 C1 C8 0D 89 F1 8D 5C 30 E0 01 F0 80 F9 61 89 D1 0F 43 C3 39 D7 75 E3 }
    condition:
        (pe.machine == pe.MACHINE_AMD64 and (2 of ($shellcode*) or all of ($funcHash*) and $hashFuncx64))
        or
        (pe.machine == pe.MACHINE_I386 and (all of ($funcHash*) and $hashFuncx86))
}