From 714636f60dc2ca7c43662db8aa4da75252503983 Mon Sep 17 00:00:00 2001 From: Kevin O'Reilly Date: Fri, 8 Mar 2024 11:54:37 +0000 Subject: [PATCH] Pikabot updates --- analyzer/windows/data/yara/Pikabot.yar | 27 ++++++++++++++++++++------ data/yara/CAPE/PikaBot.yar | 7 ++++--- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/analyzer/windows/data/yara/Pikabot.yar b/analyzer/windows/data/yara/Pikabot.yar index 5aa90027daf..92f817847f3 100644 --- a/analyzer/windows/data/yara/Pikabot.yar +++ b/analyzer/windows/data/yara/Pikabot.yar @@ -3,13 +3,14 @@ rule Pikahook meta: author = "kevoreilly" description = "Pikabot anti-hook bypass" - cape_options = "clear,sysbp=$indsys+40,sysbpmode=1,force-sleepskip=1" + cape_options = "clear,sysbp=$indirect+40,sysbpmode=1,force-sleepskip=1" packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9" strings: - $indsys = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15} - $decompress = {89 54 [2] 8B 50 ?? 89 54 [2] 8B 50 ?? C7 44 [2] 00 00 10 00 89 54 [2] 8B [5] C7 04 ?? 02 01 00 00 89} + $indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15} + $sysenter1 = {89 44 24 08 8D 85 20 FC FF FF C7 44 24 04 FF FF 1F 00 89 04 24 E8} + $sysenter2 = {C7 44 24 0C 00 00 00 02 C7 44 24 08 00 00 00 02 8B 45 0C 89 44 24 04 8B 45 08 89 04 24 E8} condition: - uint16(0) == 0x5A4D and all of them + uint16(0) == 0x5A4D and 2 of them } rule Pikabot @@ -20,8 +21,22 @@ rule Pikabot cape_options = "clear,bp0=$decode,action0=string:eax,count=0,force-sleepskip=1,typestring=Pikabot Config" packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9" strings: - $indsys = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15} - $decode = {B9 FC FF FF FF C7 05 [8] 81 E2 [4] 89 15 [4] 8B 55 ?? 29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16} + $indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15} + $decode = {29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16 83 C4 ?? 5B 5E [0-1] 5D C3} + condition: + uint16(0) == 0x5A4D and all of them +} + +rule PikExport +{ + meta: + author = "kevoreilly" + description = "Pikabot export selection" + cape_options = "export=$export" + hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" + strings: + $export = {55 8B EC 83 EC ?? C6 45 [2] C6 45 [2] C6 45 [2] C6 45 [2] C6 45} + $pe = {B8 08 00 00 00 6B C8 00 8B 55 ?? 8B 45 ?? 03 44 0A 78 89 45 ?? 8B 4D ?? 8B 51 18 89 55 E8 C7 45 F8 00 00 00 00} condition: uint16(0) == 0x5A4D and all of them } diff --git a/data/yara/CAPE/PikaBot.yar b/data/yara/CAPE/PikaBot.yar index 46b357ab533..73e118a91f2 100644 --- a/data/yara/CAPE/PikaBot.yar +++ b/data/yara/CAPE/PikaBot.yar @@ -22,9 +22,10 @@ rule Pikasys cape_type = "PikaBot Payload" packed = "89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9" strings: - $indsys = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15} - $decode = {B9 FC FF FF FF C7 05 [8] 81 E2 [4] 89 15 [4] 8B 55 ?? 29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16} - $decompress = {89 54 [2] 8B 50 ?? 89 54 [2] 8B 50 ?? C7 44 [2] 00 00 10 00 89 54 [2] 8B [5] C7 04 ?? 02 01 00 00 89} + $indirect = {31 C0 64 8B 0D C0 00 00 00 85 C9 74 01 40 50 8D 54 24 ?? E8 [4] A3 [4] 8B 25 [4] A1 [4] FF 15} + $sysenter1 = {89 44 24 08 8D 85 20 FC FF FF C7 44 24 04 FF FF 1F 00 89 04 24 E8} + $sysenter2 = {C7 44 24 0C 00 00 00 02 C7 44 24 08 00 00 00 02 8B 45 0C 89 44 24 04 8B 45 08 89 04 24 E8} + $decode = {29 D1 01 4B ?? 8D 0C 10 89 4B ?? 85 F6 74 02 89 16 83 C4 ?? 5B 5E [0-1] 5D C3} condition: uint16(0) == 0x5A4D and 2 of them }