08e8d462fe
RED PILL 🔴 💊
290 lines
13 KiB
Text
290 lines
13 KiB
Text
import "pe"
|
|
|
|
rule brc4_core {
|
|
meta:
|
|
version = "first version"
|
|
author = "@ninjaparanoid"
|
|
reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara"
|
|
date = "2022-11-19"
|
|
description = "Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state"
|
|
id = "3a702d21-392f-5b7d-90a7-eb053d259b32"
|
|
strings:
|
|
$coreStrings1 = "CLOSED"
|
|
$coreStrings2 = "LISTENING"
|
|
$coreStrings3 = "SYN_SENT"
|
|
$coreStrings4 = "SYN_RCVD"
|
|
$coreStrings5 = "ESTABLISHED"
|
|
$coreStrings6 = "FIN_WAIT1"
|
|
$coreStrings7 = "FIN_WAIT2"
|
|
$coreStrings8 = "CLOSE_WAIT"
|
|
$coreStrings9 = "CLOSING"
|
|
$coreStrings10 = "LAST_ACK"
|
|
$coreStrings11 = "TIME_WAIT"
|
|
$coreStrings12 = "DELETE_TCB"
|
|
$coreStrings13 = "v4.0.30319"
|
|
$coreStrings14 = "bYXJm/3#M?:XyMBF"
|
|
$coreStrings15 = "ServicesActive"
|
|
$coreStrings16 = "coffee"
|
|
$coreStrings17 = "Until Admin Unlock"
|
|
$coreStrings18 = "alertable"
|
|
$coreStrings19 = "%02d%02d%d_%02d%02d%2d%02d_%s"
|
|
$coreStrings20 = "<Left-Mouse>;"
|
|
$coreStrings21 = "<Right-Mouse>;"
|
|
$coreStrings22 = "<Cancel>;"
|
|
$coreStrings23 = "<Middle-Mouse>;"
|
|
$coreStrings24 = "<X1-Mouse>;"
|
|
$coreStrings25 = "<X2-Mouse>;"
|
|
$coreStrings26 = "<BackSpace>;"
|
|
$coreStrings27 = "<Enter>;"
|
|
$coreStrings28 = "<Shift>;"
|
|
$coreStrings29 = "<CTRL>;"
|
|
$coreStrings30 = "<ALT>;"
|
|
$coreStrings31 = "<Pause>;"
|
|
$coreStrings32 = "<Caps-Lock>;"
|
|
$coreStrings33 = "<ESC>;"
|
|
$coreStrings34 = "<Page-Up>;"
|
|
$coreStrings35 = "<Page-Down>;"
|
|
$coreStrings36 = "<End>;"
|
|
$coreStrings37 = "<Home-Key>;"
|
|
$coreStrings38 = "<Left-Arrow>;"
|
|
$coreStrings39 = "<Up-Arrow>;"
|
|
$coreStrings40 = "<Right-Arrow>;"
|
|
$coreStrings41 = "<Down-Arrow>;"
|
|
$coreStrings42 = "<Select>;"
|
|
$coreStrings43 = "<Print-Key>;"
|
|
$coreStrings44 = "<Print-Screen>;"
|
|
$coreStrings45 = "<INS>;"
|
|
$coreStrings46 = "<Delete>;"
|
|
$coreStrings47 = "<Help>;"
|
|
$coreStrings48 = "<Left-Windows-Key>;"
|
|
$coreStrings49 = "<Right-Windows-Key>;"
|
|
$coreStrings50 = "<Computer-Sleep>;"
|
|
$coreStrings51 = "<F1>;"
|
|
$coreStrings52 = "<F2>;"
|
|
$coreStrings53 = "<F3>;"
|
|
$coreStrings54 = "<F4>;"
|
|
$coreStrings55 = "<F5>;"
|
|
$coreStrings56 = "<F6>;"
|
|
$coreStrings57 = "<F7>;"
|
|
$coreStrings58 = "<F8>;"
|
|
$coreStrings59 = "<F9>;"
|
|
$coreStrings60 = "<F10>;"
|
|
$coreStrings61 = "<F11>;"
|
|
$coreStrings62 = "<F12>;"
|
|
$coreStrings63 = "<F13>;"
|
|
$coreStrings64 = "<F14>;"
|
|
$coreStrings65 = "<F15>;"
|
|
$coreStrings66 = "<F16>;"
|
|
$coreStrings67 = "<F17>;"
|
|
$coreStrings68 = "<F18>;"
|
|
$coreStrings69 = "<F19>;"
|
|
$coreStrings70 = "<F20>;"
|
|
$coreStrings71 = "<F21>;"
|
|
$coreStrings72 = "<F22>;"
|
|
$coreStrings73 = "<F23>;"
|
|
$coreStrings74 = "<F24>;"
|
|
$coreStrings75 = "<Num-Lock>;"
|
|
$coreStrings76 = "<Scroll-Lock>;"
|
|
$coreStrings77 = "<Control>;"
|
|
$coreStrings78 = "<Menu>;"
|
|
$coreStrings79 = "<Volume Mute>;"
|
|
$coreStrings80 = "<Volume Down>;"
|
|
$coreStrings81 = "<Volume Up>;"
|
|
$coreStrings82 = "<New Track>;"
|
|
$coreStrings83 = "<Previous Track>;"
|
|
$coreStrings84 = "<Play/Pause>;"
|
|
$coreStrings85 = "<Play>;"
|
|
$coreStrings86 = "<Zoom>;"
|
|
$coreStrings87 = "%02X-%02X-%02X-%02X-%02X-%02X"
|
|
$coreStrings88 = "%02d%02d%d_%02d%02d%2d%02d.png"
|
|
$coreStrings89 = "%02d-%02d-%d %02d:%02d:%2d"
|
|
$coreStrings90 = "%ls%s%ls%s%ls%s%ls%lu%ls%s%s"
|
|
$coreStrings91 = "%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%d%ls%lu%ls"
|
|
$coreStrings92 = "bhttp_x64.dll"
|
|
$coreStrings93 = " - %-45ls : %d"
|
|
$coreStrings94 = " - %-45ls : %ls"
|
|
$coreStrings95 = " - %-45ls : %llu"
|
|
$coreStrings96 = " - %-45ls : %u"
|
|
$coreStrings97 = " - %-45ls : %f"
|
|
$coreStrings98 = " - %-45ls : %S"
|
|
$coreStrings99 = " - Path: %ls"
|
|
$coreStrings100 = " - Enabled: %ls"
|
|
$coreStrings101 = " - Last Run: %ls"
|
|
$coreStrings102 = " - Next Run: %ls"
|
|
$coreStrings103 = " - Current State: %ls"
|
|
$coreStrings104 = " - XML Output:"
|
|
$coreStrings105 = " - Error fetching xml"
|
|
$coreStrings106 = "[+] Name: %ls"
|
|
$coreStrings107 = "[+] Task: %ld"
|
|
$coreStrings108 = " - Name: %ls"
|
|
$coreStrings109 = "BYTE data[] = {"
|
|
$coreStrings110 = "[+] %s Password History:"
|
|
$coreStrings111 = "[+] Object RDN: "
|
|
$coreStrings112 = "[+] SAM Username: "
|
|
$coreStrings113 = "[+] User Principal Name: "
|
|
$coreStrings114 = "[+] UAC: %08x ["
|
|
$coreStrings115 = "[+] Password last change: "
|
|
$coreStrings116 = "[+] SID history:"
|
|
$coreStrings117 = "[+] Object SID: "
|
|
$coreStrings118 = "[+] Object RID: %u"
|
|
$coreStrings119 = "[-] E: 0x%08x (%u) - %s"
|
|
$coreStrings120 = "[-] E: no item!"
|
|
$coreStrings121 = "[-] E: bad version (%u)"
|
|
$coreStrings122 = "[-] E: 0x%08x (%u)"
|
|
$coreStrings123 = "[-] E: (%08x)"
|
|
$coreStrings124 = "[-] E: DRS Extension Size (%u)"
|
|
$coreStrings125 = "[-] E: No DRS Extension"
|
|
$coreStrings126 = "[-] E: DRSBind (%u)"
|
|
$coreStrings127 = "[-] E: DC '%s' not found"
|
|
$coreStrings128 = "[-] E: Version (%u)"
|
|
$coreStrings129 = "[-] E: 0x%08x"
|
|
$coreStrings130 = "[-] E: DC not found"
|
|
$coreStrings131 = "[-] E: Binding DC!"
|
|
$coreStrings132 = "[-] E: %u"
|
|
$coreStrings133 = "[-] E: Domain not found"
|
|
$coreStrings134 = "[+] Syncing DC: %ls"
|
|
$coreStrings135 = "========================================|"
|
|
$coreStrings136 = "[-] E: NCChangesReply"
|
|
$coreStrings137 = "[-] E: GetNCChanges (%u)"
|
|
$coreStrings138 = "[-] E: GetNCChanges: 0x%08x"
|
|
$coreStrings139 = "[-] E: ASN1"
|
|
$coreStrings140 = "[dsyn]"
|
|
$coreStrings141 = "[+] size : %lu"
|
|
$coreStrings142 = "[+] malloc (RX) : 0x%p"
|
|
$coreStrings143 = "[+] malloc (RW) : 0x%p"
|
|
$coreStrings144 = "[+] size : %lu"
|
|
$coreStrings145 = "[+] mapview (RX): 0x%p"
|
|
$coreStrings146 = "[+] mapview (RW): 0x%p"
|
|
$coreStrings147 = "[-] Invalid thread"
|
|
$coreStrings148 = "[+] Thread start : 0x%p"
|
|
$coreStrings149 = "[+] Thread Id : %lu"
|
|
$coreStrings150 = " - expires at: %02d-%02d-%02d %02d:%02d:%02d"
|
|
$coreStrings151 = "%-30ls%-30ls%ls"
|
|
$coreStrings152 = "%-30S*%-29ls%04d hours"
|
|
$coreStrings153 = "%-30S%-30ls%04d hours"
|
|
$coreStrings154 = "[+] User is privileged"
|
|
$coreStrings155 = "[+] Members of [%ls] in %ls"
|
|
$coreStrings156 = "[+] Members of [%ls]"
|
|
$coreStrings157 = "p[+] Alertable thread: %lu"
|
|
$coreStrings158 = "[-] E: No Alertable threads"
|
|
$coreStrings159 = "[!] QAPC not supported on existing process"
|
|
$coreStrings160 = "[+] PID (%S) => %lu"
|
|
$coreStrings161 = "[+] PPID => %lu"
|
|
$coreStrings162 = "[+] PID (%S) => %lu"
|
|
$coreStrings163 = "[+] Args => (%S)"
|
|
$coreStrings164 = "[+] PPID => %lu"
|
|
$coreStrings165 = "[+] %S => PID: %lu"
|
|
$coreStrings166 = "[+] %S => PID (Suspended): %lu:%lu"
|
|
$coreStrings167 = "[+] SYS key: "
|
|
$coreStrings168 = "[+] SAM key: "
|
|
$coreStrings169 = "v2.0.50727"
|
|
$coreStrings170 = "v4.0.30319"
|
|
$coreStrings171 = "[+] Dotnet: v"
|
|
$coreStrings172 = "[+] Socks started"
|
|
$coreStrings173 = "[-] Socks stopped and Profile cleared"
|
|
$coreStrings174 = "[+] Stasis: %d:%d"
|
|
$coreStrings175 = "<DIR>?%ls?%02d-%02d-%d %02d:%02d"
|
|
$coreStrings176 = "<DIR>?%ls"
|
|
$coreStrings177 = "<FILE>?%ls?%02d-%02d-%d %02d:%02d?%lld bytes"
|
|
$coreStrings178 = "<FILE>?%ls"
|
|
$coreStrings179 = "[+] listing %ls"
|
|
$coreStrings180 = "%02d-%02d-%d %02d:%02d <DIR> %ls"
|
|
$coreStrings181 = "%02d-%02d-%d %02d:%02d <FILE> %ls %lld bytes"
|
|
$coreStrings182 = "[+] PID: %d"
|
|
$coreStrings183 = "[+] Impersonated: '%S\\%S'"
|
|
$coreStrings184 = "[+] Killed: %lu"
|
|
$coreStrings185 = "%ls%-8ls | %-8ls | %-6ls | %-30ls | %ls"
|
|
$coreStrings186 = "[pstree] %S"
|
|
$coreStrings187 = "6%d?%d?%S?%ls?%ls"
|
|
$coreStrings188 = "%-8d | %-8d | %-6S | %-30ls | %ls"
|
|
$coreStrings189 = "%d?%d?N/A?N/A?%ls"
|
|
$coreStrings190 = "%-8d | %-8d | %-6ls | %-30ls | %ls"
|
|
$coreStrings191 = "[-] Child Process???"
|
|
$coreStrings192 = "[+] PID: %lu"
|
|
$coreStrings193 = "[+] Impersonated '%ls'"
|
|
$coreStrings194 = "[-] Duplicate listener: %S"
|
|
$coreStrings195 = "[+] TCP listener: %S"
|
|
$coreStrings196 = "[TCP] [%S]-<>-[%S]"
|
|
$coreStrings197 = "[+] Added to Token Vault: %ls"
|
|
$coreStrings198 = "[-] E: Invalid Arch: 0x%X"
|
|
$coreStrings199 = "[+] Searching [0x%02X] permission"
|
|
$coreStrings200 = "[-] SPN not found: %ls"
|
|
$coreStrings201 = "[-] Invalid SPN: %S"
|
|
$coreStrings202 = "[+] SPN: %ls"
|
|
$coreStrings203 = "[+] Start Address: (%p)"
|
|
$coreStrings204 = "[!] Invalid Address"
|
|
$coreStrings205 = "[!] Invalid PID: %S"
|
|
$coreStrings206 = "[+] PID: %lu"
|
|
$coreStrings207 = "[+] TID: %lu"
|
|
$coreStrings208 = "[+] T-Handle: 0x%X"
|
|
$coreStrings209 = "[+] Suspend count: %lu"
|
|
$coreStrings210 = "[+] %-24ls%-24ls%-24ls"
|
|
$coreStrings211 = "%-66ls%-46ls%ls"
|
|
$coreStrings212 = " ============================================================= ============================================= =================================================="
|
|
$coreStrings213 = "[+] Elevated Privilege"
|
|
$coreStrings214 = "[-] Restricted Privilege"
|
|
$coreStrings215 = "[+] Task-%d => %S (%S %%)"
|
|
$coreStrings216 = "[Tasks] %02d => 0x%02X 0x%02X"
|
|
$coreStrings217 = "[*] No active tasks"
|
|
$coreStrings218 = "[-] Child: NA"
|
|
$coreStrings219 = "[+] Child: %S"
|
|
$coreStrings220 = "[TCP] Task-%d => %S"
|
|
$coreStrings221 = "[+] Malloc: %lu"
|
|
$coreStrings222 = "[+] ThreadEx: %lu"
|
|
$coreStrings223 = "[+] %-30ls: %S"
|
|
$coreStrings224 = "[+] %-30ls: %S"
|
|
$coreStrings225 = "[+] %-30ls: "
|
|
$coreStrings226 = "[+] %-30ls: %ls"
|
|
$coreStrings227 = " - %-6S %-22S %-22S %S"
|
|
$coreStrings228 = " - %-6S %-22S %-22S"
|
|
$coreStrings229 = " - 0x%lu [%02X-%02X-%02X-%02X-%02X-%02X] %S"
|
|
$coreStrings230 = " %-21S%-17S%-17S%-11S%-10S"
|
|
$coreStrings231 = " - %-19S%-17S%-17S%-11ld%-9ld"
|
|
$coreStrings232 = " - %-30ls: %I64dMB/%I64dMB"
|
|
$coreStrings233 = " - %-30ls: %lu MB"
|
|
$coreStrings234 = "[+] CM: Already Running"
|
|
$coreStrings235 = "[+] CM: Running"
|
|
$coreStrings236 = "[+] CM: Started"
|
|
$coreStrings237 = "[*] Task-%02d [Thread: %lu]"
|
|
$coreStrings238 = "+-------------------------------------------------------------------+"
|
|
$coreStrings239 = "[+] Session ID %lu => %ls: %ls\\%ls"
|
|
$coreStrings240 = "[+] Enumerating PID: %lu [%ls]"
|
|
$coreStrings241 = "[+] Captured Handle (PID: %lu)"
|
|
$coreStrings242 = "[+] Initiated NTFS transaction"
|
|
$coreStrings243 = "\\??\\C:\\Users\\Public\\cache.txt"
|
|
$coreStrings244 = "[+] Dump Size: %d Mb"
|
|
$coreStrings245 = "bhttp_x64.dll"
|
|
$coreStrings246 = "bYXJm/3#M?:XyMBF"
|
|
$coreStrings247 = "SeDebugPrivilege"
|
|
condition:
|
|
20 of them
|
|
}
|
|
|
|
rule brc4_shellcode {
|
|
meta:
|
|
version = "last version"
|
|
author = "@ninjaparanoid"
|
|
description = "Hunts for shellcode opcode used in Badger x86/x64 till release v1.2.9"
|
|
arch_context = "x64"
|
|
reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara"
|
|
date = "2022-11-19"
|
|
id = "7e899d2f-332b-53f7-b9e6-cfde2bce6223"
|
|
strings:
|
|
$shellcode_x64_Start = { 55 50 53 51 52 56 57 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 }
|
|
$shellcode_x64_End = { 5B 5E 5F 41 5C 41 5D 41 5E 41 5F 5D C3 }
|
|
$shellcode_x64_StageEnd = { 5C 41 5F 41 5E 41 5D 41 5C 41 5B 41 5A 41 59 41 58 5F 5E 5A 59 5B 58 5D C3 }
|
|
$funcHash1 = { 5B BC 4A 6A }
|
|
$funcHash2 = { 5D 68 FA 3C }
|
|
$funcHash3 = { AA FC 0D 7C }
|
|
$funcHash4 = { 8E 4E 0E EC }
|
|
$funcHash5 = { B8 12 DA 00 }
|
|
$funcHash6 = { 07 C4 4C E5 }
|
|
$funcHash7 = { BD CA 3B D3 }
|
|
$funcHash8 = { 89 4D 39 8C }
|
|
$hashFuncx64 = { EB 20 0F 1F 44 00 00 44 0F B6 C8 4C 89 DA 41 83 E9 20 4D 63 C1 4B 8D 04 10 49 39 CB 74 21 49 83 C3 01 41 89 C2 }
|
|
$hashFuncx86 = { EB 07 8D 74 26 00 83 C2 01 0F B6 31 C1 C8 0D 89 F1 8D 5C 30 E0 01 F0 80 F9 61 89 D1 0F 43 C3 39 D7 75 E3 }
|
|
condition:
|
|
(pe.machine == pe.MACHINE_AMD64 and (2 of ($shellcode*) or all of ($funcHash*) and $hashFuncx64))
|
|
or
|
|
(pe.machine == pe.MACHINE_I386 and (all of ($funcHash*) and $hashFuncx86))
|
|
}
|