Skip to content

Commit

Permalink
Pikabot updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevoreilly
kevoreilly committed Mar 8, 2024
1 parent 3b303a4 commit 714636f
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 9 deletions.
27 changes: 21 additions & 6 deletions analyzer/windows/data/yara/Pikabot.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@ rule Pikahook
meta:
author = "kevoreilly"
description = "Pikabot anti-hook bypass"
cape_options = "clear,sysbp=$indsys+40,sysbpmode=1,force-sleepskip=1"
cape_options = "clear,sysbp=$indirect+40,sysbpmode=1,force-sleepskip=1"
packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9"
strings:
$indsys = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
$decompress = {89 54 [2] 8B 50 ?? 89 54 [2] 8B 50 ?? C7 44 [2] 00 00 10 00 89 54 [2] 8B [5] C7 04 ?? 02 01 00 00 89}
$indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
$sysenter1 = {89 44 24 08 8D 85 20 FC FF FF C7 44 24 04 FF FF 1F 00 89 04 24 E8}
$sysenter2 = {C7 44 24 0C 00 00 00 02 C7 44 24 08 00 00 00 02 8B 45 0C 89 44 24 04 8B 45 08 89 04 24 E8}
condition:
uint16(0) == 0x5A4D and all of them
uint16(0) == 0x5A4D and 2 of them
}

rule Pikabot
Expand All @@ -20,8 +21,22 @@ rule Pikabot
cape_options = "clear,bp0=$decode,action0=string:eax,count=0,force-sleepskip=1,typestring=Pikabot Config"
packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9"
strings:
$indsys = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
$decode = {B9 FC FF FF FF C7 05 [8] 81 E2 [4] 89 15 [4] 8B 55 ?? 29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16}
$indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
$decode = {29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16 83 C4 ?? 5B 5E [0-1] 5D C3}
condition:
uint16(0) == 0x5A4D and all of them
}

rule PikExport
{
meta:
author = "kevoreilly"
description = "Pikabot export selection"
cape_options = "export=$export"
hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646"
strings:
$export = {55 8B EC 83 EC ?? C6 45 [2] C6 45 [2] C6 45 [2] C6 45 [2] C6 45}
$pe = {B8 08 00 00 00 6B C8 00 8B 55 ?? 8B 45 ?? 03 44 0A 78 89 45 ?? 8B 4D ?? 8B 51 18 89 55 E8 C7 45 F8 00 00 00 00}
condition:
uint16(0) == 0x5A4D and all of them
}
7 changes: 4 additions & 3 deletions data/yara/CAPE/PikaBot.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,10 @@ rule Pikasys
cape_type = "PikaBot Payload"
packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9"
strings:
$indsys = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
$decode = {B9 FC FF FF FF C7 05 [8] 81 E2 [4] 89 15 [4] 8B 55 ?? 29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16}
$decompress = {89 54 [2] 8B 50 ?? 89 54 [2] 8B 50 ?? C7 44 [2] 00 00 10 00 89 54 [2] 8B [5] C7 04 ?? 02 01 00 00 89}
$indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15}
$sysenter1 = {89 44 24 08 8D 85 20 FC FF FF C7 44 24 04 FF FF 1F 00 89 04 24 E8}
$sysenter2 = {C7 44 24 0C 00 00 00 02 C7 44 24 08 00 00 00 02 8B 45 0C 89 44 24 04 8B 45 08 89 04 24 E8}
$decode = {29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16 83 C4 ?? 5B 5E [0-1] 5D C3}
condition:
uint16(0) == 0x5A4D and 2 of them
}

0 comments on commit 714636f

Please sign in to comment.