import "pe" rule brc4_core { meta: version = "first version" author = "@ninjaparanoid" reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara" date = "2022-11-19" description = "Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state" id = "3a702d21-392f-5b7d-90a7-eb053d259b32" strings: $coreStrings1 = "CLOSED" $coreStrings2 = "LISTENING" $coreStrings3 = "SYN_SENT" $coreStrings4 = "SYN_RCVD" $coreStrings5 = "ESTABLISHED" $coreStrings6 = "FIN_WAIT1" $coreStrings7 = "FIN_WAIT2" $coreStrings8 = "CLOSE_WAIT" $coreStrings9 = "CLOSING" $coreStrings10 = "LAST_ACK" $coreStrings11 = "TIME_WAIT" $coreStrings12 = "DELETE_TCB" $coreStrings13 = "v4.0.30319" $coreStrings14 = "bYXJm/3#M?:XyMBF" $coreStrings15 = "ServicesActive" $coreStrings16 = "coffee" $coreStrings17 = "Until Admin Unlock" $coreStrings18 = "alertable" $coreStrings19 = "%02d%02d%d_%02d%02d%2d%02d_%s" $coreStrings20 = "<Left-Mouse>;" $coreStrings21 = "<Right-Mouse>;" $coreStrings22 = "<Cancel>;" $coreStrings23 = "<Middle-Mouse>;" $coreStrings24 = "<X1-Mouse>;" $coreStrings25 = "<X2-Mouse>;" $coreStrings26 = "<BackSpace>;" $coreStrings27 = "<Enter>;" $coreStrings28 = "<Shift>;" $coreStrings29 = "<CTRL>;" $coreStrings30 = "<ALT>;" $coreStrings31 = "<Pause>;" $coreStrings32 = "<Caps-Lock>;" $coreStrings33 = "<ESC>;" $coreStrings34 = "<Page-Up>;" $coreStrings35 = "<Page-Down>;" $coreStrings36 = "<End>;" $coreStrings37 = "<Home-Key>;" $coreStrings38 = "<Left-Arrow>;" $coreStrings39 = "<Up-Arrow>;" $coreStrings40 = "<Right-Arrow>;" $coreStrings41 = "<Down-Arrow>;" $coreStrings42 = "<Select>;" $coreStrings43 = "<Print-Key>;" $coreStrings44 = "<Print-Screen>;" $coreStrings45 = "<INS>;" $coreStrings46 = "<Delete>;" $coreStrings47 = "<Help>;" $coreStrings48 = "<Left-Windows-Key>;" $coreStrings49 = "<Right-Windows-Key>;" $coreStrings50 = "<Computer-Sleep>;" $coreStrings51 = "<F1>;" $coreStrings52 = "<F2>;" $coreStrings53 = "<F3>;" $coreStrings54 = "<F4>;" $coreStrings55 = "<F5>;" $coreStrings56 = "<F6>;" $coreStrings57 = "<F7>;" $coreStrings58 = "<F8>;" $coreStrings59 = "<F9>;" $coreStrings60 = "<F10>;" $coreStrings61 = "<F11>;" $coreStrings62 = "<F12>;" $coreStrings63 = "<F13>;" $coreStrings64 = "<F14>;" $coreStrings65 = "<F15>;" $coreStrings66 = "<F16>;" $coreStrings67 = "<F17>;" $coreStrings68 = "<F18>;" $coreStrings69 = "<F19>;" $coreStrings70 = "<F20>;" $coreStrings71 = "<F21>;" $coreStrings72 = "<F22>;" $coreStrings73 = "<F23>;" $coreStrings74 = "<F24>;" $coreStrings75 = "<Num-Lock>;" $coreStrings76 = "<Scroll-Lock>;" $coreStrings77 = "<Control>;" $coreStrings78 = "<Menu>;" $coreStrings79 = "<Volume Mute>;" $coreStrings80 = "<Volume Down>;" $coreStrings81 = "<Volume Up>;" $coreStrings82 = "<New Track>;" $coreStrings83 = "<Previous Track>;" $coreStrings84 = "<Play/Pause>;" $coreStrings85 = "<Play>;" $coreStrings86 = "<Zoom>;" $coreStrings87 = "%02X-%02X-%02X-%02X-%02X-%02X" $coreStrings88 = "%02d%02d%d_%02d%02d%2d%02d.png" $coreStrings89 = "%02d-%02d-%d %02d:%02d:%2d" $coreStrings90 = "%ls%s%ls%s%ls%s%ls%lu%ls%s%s" $coreStrings91 = "%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%d%ls%lu%ls" $coreStrings92 = "bhttp_x64.dll" $coreStrings93 = " - %-45ls : %d" $coreStrings94 = " - %-45ls : %ls" $coreStrings95 = " - %-45ls : %llu" $coreStrings96 = " - %-45ls : %u" $coreStrings97 = " - %-45ls : %f" $coreStrings98 = " - %-45ls : %S" $coreStrings99 = " - Path: %ls" $coreStrings100 = " - Enabled: %ls" $coreStrings101 = " - Last Run: %ls" $coreStrings102 = " - Next Run: %ls" $coreStrings103 = " - Current State: %ls" $coreStrings104 = " - XML Output:" $coreStrings105 = " - Error fetching xml" $coreStrings106 = "[+] Name: %ls" $coreStrings107 = "[+] Task: %ld" $coreStrings108 = " - Name: %ls" $coreStrings109 = "BYTE data[] = {" $coreStrings110 = "[+] %s Password History:" $coreStrings111 = "[+] Object RDN: " $coreStrings112 = "[+] SAM Username: " $coreStrings113 = "[+] User Principal Name: " $coreStrings114 = "[+] UAC: %08x [" $coreStrings115 = "[+] Password last change: " $coreStrings116 = "[+] SID history:" $coreStrings117 = "[+] Object SID: " $coreStrings118 = "[+] Object RID: %u" $coreStrings119 = "[-] E: 0x%08x (%u) - %s" $coreStrings120 = "[-] E: no item!" $coreStrings121 = "[-] E: bad version (%u)" $coreStrings122 = "[-] E: 0x%08x (%u)" $coreStrings123 = "[-] E: (%08x)" $coreStrings124 = "[-] E: DRS Extension Size (%u)" $coreStrings125 = "[-] E: No DRS Extension" $coreStrings126 = "[-] E: DRSBind (%u)" $coreStrings127 = "[-] E: DC '%s' not found" $coreStrings128 = "[-] E: Version (%u)" $coreStrings129 = "[-] E: 0x%08x" $coreStrings130 = "[-] E: DC not found" $coreStrings131 = "[-] E: Binding DC!" $coreStrings132 = "[-] E: %u" $coreStrings133 = "[-] E: Domain not found" $coreStrings134 = "[+] Syncing DC: %ls" $coreStrings135 = "========================================|" $coreStrings136 = "[-] E: NCChangesReply" $coreStrings137 = "[-] E: GetNCChanges (%u)" $coreStrings138 = "[-] E: GetNCChanges: 0x%08x" $coreStrings139 = "[-] E: ASN1" $coreStrings140 = "[dsyn]" $coreStrings141 = "[+] size : %lu" $coreStrings142 = "[+] malloc (RX) : 0x%p" $coreStrings143 = "[+] malloc (RW) : 0x%p" $coreStrings144 = "[+] size : %lu" $coreStrings145 = "[+] mapview (RX): 0x%p" $coreStrings146 = "[+] mapview (RW): 0x%p" $coreStrings147 = "[-] Invalid thread" $coreStrings148 = "[+] Thread start : 0x%p" $coreStrings149 = "[+] Thread Id : %lu" $coreStrings150 = " - expires at: %02d-%02d-%02d %02d:%02d:%02d" $coreStrings151 = "%-30ls%-30ls%ls" $coreStrings152 = "%-30S*%-29ls%04d hours" $coreStrings153 = "%-30S%-30ls%04d hours" $coreStrings154 = "[+] User is privileged" $coreStrings155 = "[+] Members of [%ls] in %ls" $coreStrings156 = "[+] Members of [%ls]" $coreStrings157 = "p[+] Alertable thread: %lu" $coreStrings158 = "[-] E: No Alertable threads" $coreStrings159 = "[!] QAPC not supported on existing process" $coreStrings160 = "[+] PID (%S) => %lu" $coreStrings161 = "[+] PPID => %lu" $coreStrings162 = "[+] PID (%S) => %lu" $coreStrings163 = "[+] Args => (%S)" $coreStrings164 = "[+] PPID => %lu" $coreStrings165 = "[+] %S => PID: %lu" $coreStrings166 = "[+] %S => PID (Suspended): %lu:%lu" $coreStrings167 = "[+] SYS key: " $coreStrings168 = "[+] SAM key: " $coreStrings169 = "v2.0.50727" $coreStrings170 = "v4.0.30319" $coreStrings171 = "[+] Dotnet: v" $coreStrings172 = "[+] Socks started" $coreStrings173 = "[-] Socks stopped and Profile cleared" $coreStrings174 = "[+] Stasis: %d:%d" $coreStrings175 = "<DIR>?%ls?%02d-%02d-%d %02d:%02d" $coreStrings176 = "<DIR>?%ls" $coreStrings177 = "<FILE>?%ls?%02d-%02d-%d %02d:%02d?%lld bytes" $coreStrings178 = "<FILE>?%ls" $coreStrings179 = "[+] listing %ls" $coreStrings180 = "%02d-%02d-%d %02d:%02d <DIR> %ls" $coreStrings181 = "%02d-%02d-%d %02d:%02d <FILE> %ls %lld bytes" $coreStrings182 = "[+] PID: %d" $coreStrings183 = "[+] Impersonated: '%S\\%S'" $coreStrings184 = "[+] Killed: %lu" $coreStrings185 = "%ls%-8ls | %-8ls | %-6ls | %-30ls | %ls" $coreStrings186 = "[pstree] %S" $coreStrings187 = "6%d?%d?%S?%ls?%ls" $coreStrings188 = "%-8d | %-8d | %-6S | %-30ls | %ls" $coreStrings189 = "%d?%d?N/A?N/A?%ls" $coreStrings190 = "%-8d | %-8d | %-6ls | %-30ls | %ls" $coreStrings191 = "[-] Child Process???" $coreStrings192 = "[+] PID: %lu" $coreStrings193 = "[+] Impersonated '%ls'" $coreStrings194 = "[-] Duplicate listener: %S" $coreStrings195 = "[+] TCP listener: %S" $coreStrings196 = "[TCP] [%S]-<>-[%S]" $coreStrings197 = "[+] Added to Token Vault: %ls" $coreStrings198 = "[-] E: Invalid Arch: 0x%X" $coreStrings199 = "[+] Searching [0x%02X] permission" $coreStrings200 = "[-] SPN not found: %ls" $coreStrings201 = "[-] Invalid SPN: %S" $coreStrings202 = "[+] SPN: %ls" $coreStrings203 = "[+] Start Address: (%p)" $coreStrings204 = "[!] Invalid Address" $coreStrings205 = "[!] Invalid PID: %S" $coreStrings206 = "[+] PID: %lu" $coreStrings207 = "[+] TID: %lu" $coreStrings208 = "[+] T-Handle: 0x%X" $coreStrings209 = "[+] Suspend count: %lu" $coreStrings210 = "[+] %-24ls%-24ls%-24ls" $coreStrings211 = "%-66ls%-46ls%ls" $coreStrings212 = " ============================================================= ============================================= ==================================================" $coreStrings213 = "[+] Elevated Privilege" $coreStrings214 = "[-] Restricted Privilege" $coreStrings215 = "[+] Task-%d => %S (%S %%)" $coreStrings216 = "[Tasks] %02d => 0x%02X 0x%02X" $coreStrings217 = "[*] No active tasks" $coreStrings218 = "[-] Child: NA" $coreStrings219 = "[+] Child: %S" $coreStrings220 = "[TCP] Task-%d => %S" $coreStrings221 = "[+] Malloc: %lu" $coreStrings222 = "[+] ThreadEx: %lu" $coreStrings223 = "[+] %-30ls: %S" $coreStrings224 = "[+] %-30ls: %S" $coreStrings225 = "[+] %-30ls: " $coreStrings226 = "[+] %-30ls: %ls" $coreStrings227 = " - %-6S %-22S %-22S %S" $coreStrings228 = " - %-6S %-22S %-22S" $coreStrings229 = " - 0x%lu [%02X-%02X-%02X-%02X-%02X-%02X] %S" $coreStrings230 = " %-21S%-17S%-17S%-11S%-10S" $coreStrings231 = " - %-19S%-17S%-17S%-11ld%-9ld" $coreStrings232 = " - %-30ls: %I64dMB/%I64dMB" $coreStrings233 = " - %-30ls: %lu MB" $coreStrings234 = "[+] CM: Already Running" $coreStrings235 = "[+] CM: Running" $coreStrings236 = "[+] CM: Started" $coreStrings237 = "[*] Task-%02d [Thread: %lu]" $coreStrings238 = "+-------------------------------------------------------------------+" $coreStrings239 = "[+] Session ID %lu => %ls: %ls\\%ls" $coreStrings240 = "[+] Enumerating PID: %lu [%ls]" $coreStrings241 = "[+] Captured Handle (PID: %lu)" $coreStrings242 = "[+] Initiated NTFS transaction" $coreStrings243 = "\\??\\C:\\Users\\Public\\cache.txt" $coreStrings244 = "[+] Dump Size: %d Mb" $coreStrings245 = "bhttp_x64.dll" $coreStrings246 = "bYXJm/3#M?:XyMBF" $coreStrings247 = "SeDebugPrivilege" condition: 20 of them } rule brc4_shellcode { meta: version = "last version" author = "@ninjaparanoid" description = "Hunts for shellcode opcode used in Badger x86/x64 till release v1.2.9" arch_context = "x64" reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara" date = "2022-11-19" id = "7e899d2f-332b-53f7-b9e6-cfde2bce6223" strings: $shellcode_x64_Start = { 55 50 53 51 52 56 57 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 } $shellcode_x64_End = { 5B 5E 5F 41 5C 41 5D 41 5E 41 5F 5D C3 } $shellcode_x64_StageEnd = { 5C 41 5F 41 5E 41 5D 41 5C 41 5B 41 5A 41 59 41 58 5F 5E 5A 59 5B 58 5D C3 } $funcHash1 = { 5B BC 4A 6A } $funcHash2 = { 5D 68 FA 3C } $funcHash3 = { AA FC 0D 7C } $funcHash4 = { 8E 4E 0E EC } $funcHash5 = { B8 12 DA 00 } $funcHash6 = { 07 C4 4C E5 } $funcHash7 = { BD CA 3B D3 } $funcHash8 = { 89 4D 39 8C } $hashFuncx64 = { EB 20 0F 1F 44 00 00 44 0F B6 C8 4C 89 DA 41 83 E9 20 4D 63 C1 4B 8D 04 10 49 39 CB 74 21 49 83 C3 01 41 89 C2 } $hashFuncx86 = { EB 07 8D 74 26 00 83 C2 01 0F B6 31 C1 C8 0D 89 F1 8D 5C 30 E0 01 F0 80 F9 61 89 D1 0F 43 C3 39 D7 75 E3 } condition: (pe.machine == pe.MACHINE_AMD64 and (2 of ($shellcode*) or all of ($funcHash*) and $hashFuncx64)) or (pe.machine == pe.MACHINE_I386 and (all of ($funcHash*) and $hashFuncx86)) }