Sneed-Reactivity/yara-Neo23x0/hktl_bruteratel_c4.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

290 lines
13 KiB
Text

import "pe"
rule brc4_core {
meta:
version = "first version"
author = "@ninjaparanoid"
reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara"
date = "2022-11-19"
description = "Hunts for known strings used in Badger till release v1.2.9 when not in an encrypted state"
id = "3a702d21-392f-5b7d-90a7-eb053d259b32"
strings:
$coreStrings1 = "CLOSED"
$coreStrings2 = "LISTENING"
$coreStrings3 = "SYN_SENT"
$coreStrings4 = "SYN_RCVD"
$coreStrings5 = "ESTABLISHED"
$coreStrings6 = "FIN_WAIT1"
$coreStrings7 = "FIN_WAIT2"
$coreStrings8 = "CLOSE_WAIT"
$coreStrings9 = "CLOSING"
$coreStrings10 = "LAST_ACK"
$coreStrings11 = "TIME_WAIT"
$coreStrings12 = "DELETE_TCB"
$coreStrings13 = "v4.0.30319"
$coreStrings14 = "bYXJm/3#M?:XyMBF"
$coreStrings15 = "ServicesActive"
$coreStrings16 = "coffee"
$coreStrings17 = "Until Admin Unlock"
$coreStrings18 = "alertable"
$coreStrings19 = "%02d%02d%d_%02d%02d%2d%02d_%s"
$coreStrings20 = "<Left-Mouse>;"
$coreStrings21 = "<Right-Mouse>;"
$coreStrings22 = "<Cancel>;"
$coreStrings23 = "<Middle-Mouse>;"
$coreStrings24 = "<X1-Mouse>;"
$coreStrings25 = "<X2-Mouse>;"
$coreStrings26 = "<BackSpace>;"
$coreStrings27 = "<Enter>;"
$coreStrings28 = "<Shift>;"
$coreStrings29 = "<CTRL>;"
$coreStrings30 = "<ALT>;"
$coreStrings31 = "<Pause>;"
$coreStrings32 = "<Caps-Lock>;"
$coreStrings33 = "<ESC>;"
$coreStrings34 = "<Page-Up>;"
$coreStrings35 = "<Page-Down>;"
$coreStrings36 = "<End>;"
$coreStrings37 = "<Home-Key>;"
$coreStrings38 = "<Left-Arrow>;"
$coreStrings39 = "<Up-Arrow>;"
$coreStrings40 = "<Right-Arrow>;"
$coreStrings41 = "<Down-Arrow>;"
$coreStrings42 = "<Select>;"
$coreStrings43 = "<Print-Key>;"
$coreStrings44 = "<Print-Screen>;"
$coreStrings45 = "<INS>;"
$coreStrings46 = "<Delete>;"
$coreStrings47 = "<Help>;"
$coreStrings48 = "<Left-Windows-Key>;"
$coreStrings49 = "<Right-Windows-Key>;"
$coreStrings50 = "<Computer-Sleep>;"
$coreStrings51 = "<F1>;"
$coreStrings52 = "<F2>;"
$coreStrings53 = "<F3>;"
$coreStrings54 = "<F4>;"
$coreStrings55 = "<F5>;"
$coreStrings56 = "<F6>;"
$coreStrings57 = "<F7>;"
$coreStrings58 = "<F8>;"
$coreStrings59 = "<F9>;"
$coreStrings60 = "<F10>;"
$coreStrings61 = "<F11>;"
$coreStrings62 = "<F12>;"
$coreStrings63 = "<F13>;"
$coreStrings64 = "<F14>;"
$coreStrings65 = "<F15>;"
$coreStrings66 = "<F16>;"
$coreStrings67 = "<F17>;"
$coreStrings68 = "<F18>;"
$coreStrings69 = "<F19>;"
$coreStrings70 = "<F20>;"
$coreStrings71 = "<F21>;"
$coreStrings72 = "<F22>;"
$coreStrings73 = "<F23>;"
$coreStrings74 = "<F24>;"
$coreStrings75 = "<Num-Lock>;"
$coreStrings76 = "<Scroll-Lock>;"
$coreStrings77 = "<Control>;"
$coreStrings78 = "<Menu>;"
$coreStrings79 = "<Volume Mute>;"
$coreStrings80 = "<Volume Down>;"
$coreStrings81 = "<Volume Up>;"
$coreStrings82 = "<New Track>;"
$coreStrings83 = "<Previous Track>;"
$coreStrings84 = "<Play/Pause>;"
$coreStrings85 = "<Play>;"
$coreStrings86 = "<Zoom>;"
$coreStrings87 = "%02X-%02X-%02X-%02X-%02X-%02X"
$coreStrings88 = "%02d%02d%d_%02d%02d%2d%02d.png"
$coreStrings89 = "%02d-%02d-%d %02d:%02d:%2d"
$coreStrings90 = "%ls%s%ls%s%ls%s%ls%lu%ls%s%s"
$coreStrings91 = "%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%d%ls%lu%ls"
$coreStrings92 = "bhttp_x64.dll"
$coreStrings93 = " - %-45ls : %d"
$coreStrings94 = " - %-45ls : %ls"
$coreStrings95 = " - %-45ls : %llu"
$coreStrings96 = " - %-45ls : %u"
$coreStrings97 = " - %-45ls : %f"
$coreStrings98 = " - %-45ls : %S"
$coreStrings99 = " - Path: %ls"
$coreStrings100 = " - Enabled: %ls"
$coreStrings101 = " - Last Run: %ls"
$coreStrings102 = " - Next Run: %ls"
$coreStrings103 = " - Current State: %ls"
$coreStrings104 = " - XML Output:"
$coreStrings105 = " - Error fetching xml"
$coreStrings106 = "[+] Name: %ls"
$coreStrings107 = "[+] Task: %ld"
$coreStrings108 = " - Name: %ls"
$coreStrings109 = "BYTE data[] = {"
$coreStrings110 = "[+] %s Password History:"
$coreStrings111 = "[+] Object RDN: "
$coreStrings112 = "[+] SAM Username: "
$coreStrings113 = "[+] User Principal Name: "
$coreStrings114 = "[+] UAC: %08x ["
$coreStrings115 = "[+] Password last change: "
$coreStrings116 = "[+] SID history:"
$coreStrings117 = "[+] Object SID: "
$coreStrings118 = "[+] Object RID: %u"
$coreStrings119 = "[-] E: 0x%08x (%u) - %s"
$coreStrings120 = "[-] E: no item!"
$coreStrings121 = "[-] E: bad version (%u)"
$coreStrings122 = "[-] E: 0x%08x (%u)"
$coreStrings123 = "[-] E: (%08x)"
$coreStrings124 = "[-] E: DRS Extension Size (%u)"
$coreStrings125 = "[-] E: No DRS Extension"
$coreStrings126 = "[-] E: DRSBind (%u)"
$coreStrings127 = "[-] E: DC '%s' not found"
$coreStrings128 = "[-] E: Version (%u)"
$coreStrings129 = "[-] E: 0x%08x"
$coreStrings130 = "[-] E: DC not found"
$coreStrings131 = "[-] E: Binding DC!"
$coreStrings132 = "[-] E: %u"
$coreStrings133 = "[-] E: Domain not found"
$coreStrings134 = "[+] Syncing DC: %ls"
$coreStrings135 = "========================================|"
$coreStrings136 = "[-] E: NCChangesReply"
$coreStrings137 = "[-] E: GetNCChanges (%u)"
$coreStrings138 = "[-] E: GetNCChanges: 0x%08x"
$coreStrings139 = "[-] E: ASN1"
$coreStrings140 = "[dsyn]"
$coreStrings141 = "[+] size : %lu"
$coreStrings142 = "[+] malloc (RX) : 0x%p"
$coreStrings143 = "[+] malloc (RW) : 0x%p"
$coreStrings144 = "[+] size : %lu"
$coreStrings145 = "[+] mapview (RX): 0x%p"
$coreStrings146 = "[+] mapview (RW): 0x%p"
$coreStrings147 = "[-] Invalid thread"
$coreStrings148 = "[+] Thread start : 0x%p"
$coreStrings149 = "[+] Thread Id : %lu"
$coreStrings150 = " - expires at: %02d-%02d-%02d %02d:%02d:%02d"
$coreStrings151 = "%-30ls%-30ls%ls"
$coreStrings152 = "%-30S*%-29ls%04d hours"
$coreStrings153 = "%-30S%-30ls%04d hours"
$coreStrings154 = "[+] User is privileged"
$coreStrings155 = "[+] Members of [%ls] in %ls"
$coreStrings156 = "[+] Members of [%ls]"
$coreStrings157 = "p[+] Alertable thread: %lu"
$coreStrings158 = "[-] E: No Alertable threads"
$coreStrings159 = "[!] QAPC not supported on existing process"
$coreStrings160 = "[+] PID (%S) => %lu"
$coreStrings161 = "[+] PPID => %lu"
$coreStrings162 = "[+] PID (%S) => %lu"
$coreStrings163 = "[+] Args => (%S)"
$coreStrings164 = "[+] PPID => %lu"
$coreStrings165 = "[+] %S => PID: %lu"
$coreStrings166 = "[+] %S => PID (Suspended): %lu:%lu"
$coreStrings167 = "[+] SYS key: "
$coreStrings168 = "[+] SAM key: "
$coreStrings169 = "v2.0.50727"
$coreStrings170 = "v4.0.30319"
$coreStrings171 = "[+] Dotnet: v"
$coreStrings172 = "[+] Socks started"
$coreStrings173 = "[-] Socks stopped and Profile cleared"
$coreStrings174 = "[+] Stasis: %d:%d"
$coreStrings175 = "<DIR>?%ls?%02d-%02d-%d %02d:%02d"
$coreStrings176 = "<DIR>?%ls"
$coreStrings177 = "<FILE>?%ls?%02d-%02d-%d %02d:%02d?%lld bytes"
$coreStrings178 = "<FILE>?%ls"
$coreStrings179 = "[+] listing %ls"
$coreStrings180 = "%02d-%02d-%d %02d:%02d <DIR> %ls"
$coreStrings181 = "%02d-%02d-%d %02d:%02d <FILE> %ls %lld bytes"
$coreStrings182 = "[+] PID: %d"
$coreStrings183 = "[+] Impersonated: '%S\\%S'"
$coreStrings184 = "[+] Killed: %lu"
$coreStrings185 = "%ls%-8ls | %-8ls | %-6ls | %-30ls | %ls"
$coreStrings186 = "[pstree] %S"
$coreStrings187 = "6%d?%d?%S?%ls?%ls"
$coreStrings188 = "%-8d | %-8d | %-6S | %-30ls | %ls"
$coreStrings189 = "%d?%d?N/A?N/A?%ls"
$coreStrings190 = "%-8d | %-8d | %-6ls | %-30ls | %ls"
$coreStrings191 = "[-] Child Process???"
$coreStrings192 = "[+] PID: %lu"
$coreStrings193 = "[+] Impersonated '%ls'"
$coreStrings194 = "[-] Duplicate listener: %S"
$coreStrings195 = "[+] TCP listener: %S"
$coreStrings196 = "[TCP] [%S]-<>-[%S]"
$coreStrings197 = "[+] Added to Token Vault: %ls"
$coreStrings198 = "[-] E: Invalid Arch: 0x%X"
$coreStrings199 = "[+] Searching [0x%02X] permission"
$coreStrings200 = "[-] SPN not found: %ls"
$coreStrings201 = "[-] Invalid SPN: %S"
$coreStrings202 = "[+] SPN: %ls"
$coreStrings203 = "[+] Start Address: (%p)"
$coreStrings204 = "[!] Invalid Address"
$coreStrings205 = "[!] Invalid PID: %S"
$coreStrings206 = "[+] PID: %lu"
$coreStrings207 = "[+] TID: %lu"
$coreStrings208 = "[+] T-Handle: 0x%X"
$coreStrings209 = "[+] Suspend count: %lu"
$coreStrings210 = "[+] %-24ls%-24ls%-24ls"
$coreStrings211 = "%-66ls%-46ls%ls"
$coreStrings212 = " ============================================================= ============================================= =================================================="
$coreStrings213 = "[+] Elevated Privilege"
$coreStrings214 = "[-] Restricted Privilege"
$coreStrings215 = "[+] Task-%d => %S (%S %%)"
$coreStrings216 = "[Tasks] %02d => 0x%02X 0x%02X"
$coreStrings217 = "[*] No active tasks"
$coreStrings218 = "[-] Child: NA"
$coreStrings219 = "[+] Child: %S"
$coreStrings220 = "[TCP] Task-%d => %S"
$coreStrings221 = "[+] Malloc: %lu"
$coreStrings222 = "[+] ThreadEx: %lu"
$coreStrings223 = "[+] %-30ls: %S"
$coreStrings224 = "[+] %-30ls: %S"
$coreStrings225 = "[+] %-30ls: "
$coreStrings226 = "[+] %-30ls: %ls"
$coreStrings227 = " - %-6S %-22S %-22S %S"
$coreStrings228 = " - %-6S %-22S %-22S"
$coreStrings229 = " - 0x%lu [%02X-%02X-%02X-%02X-%02X-%02X] %S"
$coreStrings230 = " %-21S%-17S%-17S%-11S%-10S"
$coreStrings231 = " - %-19S%-17S%-17S%-11ld%-9ld"
$coreStrings232 = " - %-30ls: %I64dMB/%I64dMB"
$coreStrings233 = " - %-30ls: %lu MB"
$coreStrings234 = "[+] CM: Already Running"
$coreStrings235 = "[+] CM: Running"
$coreStrings236 = "[+] CM: Started"
$coreStrings237 = "[*] Task-%02d [Thread: %lu]"
$coreStrings238 = "+-------------------------------------------------------------------+"
$coreStrings239 = "[+] Session ID %lu => %ls: %ls\\%ls"
$coreStrings240 = "[+] Enumerating PID: %lu [%ls]"
$coreStrings241 = "[+] Captured Handle (PID: %lu)"
$coreStrings242 = "[+] Initiated NTFS transaction"
$coreStrings243 = "\\??\\C:\\Users\\Public\\cache.txt"
$coreStrings244 = "[+] Dump Size: %d Mb"
$coreStrings245 = "bhttp_x64.dll"
$coreStrings246 = "bYXJm/3#M?:XyMBF"
$coreStrings247 = "SeDebugPrivilege"
condition:
20 of them
}
rule brc4_shellcode {
meta:
version = "last version"
author = "@ninjaparanoid"
description = "Hunts for shellcode opcode used in Badger x86/x64 till release v1.2.9"
arch_context = "x64"
reference = "https://github.com/paranoidninja/Brute-Ratel-C4-Community-Kit/blob/main/deprecated/brc4.yara"
date = "2022-11-19"
id = "7e899d2f-332b-53f7-b9e6-cfde2bce6223"
strings:
$shellcode_x64_Start = { 55 50 53 51 52 56 57 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 }
$shellcode_x64_End = { 5B 5E 5F 41 5C 41 5D 41 5E 41 5F 5D C3 }
$shellcode_x64_StageEnd = { 5C 41 5F 41 5E 41 5D 41 5C 41 5B 41 5A 41 59 41 58 5F 5E 5A 59 5B 58 5D C3 }
$funcHash1 = { 5B BC 4A 6A }
$funcHash2 = { 5D 68 FA 3C }
$funcHash3 = { AA FC 0D 7C }
$funcHash4 = { 8E 4E 0E EC }
$funcHash5 = { B8 12 DA 00 }
$funcHash6 = { 07 C4 4C E5 }
$funcHash7 = { BD CA 3B D3 }
$funcHash8 = { 89 4D 39 8C }
$hashFuncx64 = { EB 20 0F 1F 44 00 00 44 0F B6 C8 4C 89 DA 41 83 E9 20 4D 63 C1 4B 8D 04 10 49 39 CB 74 21 49 83 C3 01 41 89 C2 }
$hashFuncx86 = { EB 07 8D 74 26 00 83 C2 01 0F B6 31 C1 C8 0D 89 F1 8D 5C 30 E0 01 F0 80 F9 61 89 D1 0F 43 C3 39 D7 75 E3 }
condition:
(pe.machine == pe.MACHINE_AMD64 and (2 of ($shellcode*) or all of ($funcHash*) and $hashFuncx64))
or
(pe.machine == pe.MACHINE_I386 and (all of ($funcHash*) and $hashFuncx86))
}