From ebf09b293a6b8d66ec02cdda0af4d8d5c3c317ab Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Mon, 2 Dec 2024 11:20:29 -0500 Subject: [PATCH] tweak nitrogen loader rules --- analyzer/windows/data/yara/NitrogenLoader.yar | 15 ++++++++++++++- data/yara/CAPE/NitrogenLoader.yar | 4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/analyzer/windows/data/yara/NitrogenLoader.yar b/analyzer/windows/data/yara/NitrogenLoader.yar index 0c37500494a..ef8dfc17afe 100644 --- a/analyzer/windows/data/yara/NitrogenLoader.yar +++ b/analyzer/windows/data/yara/NitrogenLoader.yar @@ -38,4 +38,17 @@ rule NitrogenLoaderBypass $exit = {33 C9 E8 [4] E8 [4] 48 8D 84 24 [4] 48 89 44 24 ?? 4? B? E4 00 00 00 4? 8B 05 [4] B? 03 00 00 00 48 8D} condition: all of them -} \ No newline at end of file +} + +rule NitrogenLoaderConfig +{ + meta: + author = "enzok" + description = "NitrogenLoader Config Extraction" + cape_options = "bp0=$decrypt2*-2,hc0=1,count=0,action0=string:rcx,typestring=NitrogenLoader Config" + strings: + $decrypt1 = {48 8B 8C 24 [4] 0F B6 04 01 89 ?? 24 [1-4] 48 63 4C 24 ?? 33 D2 48 8B C1 48 F7 B4 24 [4] 48 8B C2 48 8B 8C} + $decrypt2 = {48 8B 8C 24 [4] 0F BE 04 01 8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A} + condition: + all of them +} diff --git a/data/yara/CAPE/NitrogenLoader.yar b/data/yara/CAPE/NitrogenLoader.yar index 0a15a01dc46..8a13b6888dd 100644 --- a/data/yara/CAPE/NitrogenLoader.yar +++ b/data/yara/CAPE/NitrogenLoader.yar @@ -16,8 +16,8 @@ rule NitrogenLoader $syscall = {48 83 C4 ?? 4? 8B 4C 24 ?? 4? 8B 54 24 ?? 4? 8B 44 24 ?? 4? 8B 4C 24 ?? 4? 89 CA 4? FF E3} $decryptstr1 = {33 D2 48 8B 04 24 B? 0C 00 00 00 48 F7 F1 48 8B C2 48 C1 E0 02 0F B6 C8 48 8B 44 24 ?? 48 D3 E8 48 25 AB 00 00 00} $decryptstr2 = {0F BE C0 48 8B 0C 24 48 8B 54 24 ?? 48 03 D1 48 8B CA 0F BE 09 33 C8 8B C1 48 8B 0C 24 48 8B 54 24 ?? 48 03 D1} - $decryptrsc1 = {48 63 44 24 ?? 48 8B 8C 24 [4] 0F B6 04 01 89 ?? 24 [1-4] 48 63 4C 24 ?? 33 D2 48 8B C1 48 F7 B4 24 [4] 48 8B C2} - $decryptrsc2 = {48 8B 8C 24 [4] 0F BE 04 01 8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A} + $decryptrsc1 = {48 8B 8C 24 [4] 0F B6 04 01 89 ?? 24 [1-4] 48 63 4C 24 ?? 33 D2 48 8B C1 48 F7 B4 24 [4] 48 8B C2 48 8B 8C} + $decryptrsc2 = {8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A} condition: (all of ($string*) or all of ($decrypt*)) and any of ($syscall*) }