From c6ff6da60e9ca372158bafc209cf406e739ae975 Mon Sep 17 00:00:00 2001 From: Yung Binary <93540406+YungBinary@users.noreply.github.com> Date: Fri, 10 Jan 2025 16:12:42 +0000 Subject: [PATCH 1/2] Update Arkei rule to match new samples --- data/yara/CAPE/Arkei.yar | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/data/yara/CAPE/Arkei.yar b/data/yara/CAPE/Arkei.yar index f168915ed1e..56bf049f88e 100644 --- a/data/yara/CAPE/Arkei.yar +++ b/data/yara/CAPE/Arkei.yar @@ -1,7 +1,7 @@ rule Arkei { meta: - author = "kevoreilly" + author = "kevoreilly, YungBinary" description = "Arkei Payload" cape_type = "Arkei Payload" strings: @@ -19,6 +19,32 @@ rule Arkei $v7 = "files\\cc_" ascii wide $v8 = "files\\autofill_" ascii wide $v9 = "files\\cookies_" ascii wide + + $loaded_modules = { + 64 A1 30 00 00 00 + 8B 40 0C + 8B 40 0C + 8B 00 + 8B 00 + 8B 40 18 + 89 45 FC + 8B 45 FC + 8B E5 + 5D + C3 + } + + $language_check = { + FF 15 ?? ?? ?? ?? + 0F B7 C0 + 89 45 ?? + 81 7D ?? 3F 04 ?? ?? + 7F + } + + $ext1 = ".zoo" ascii + $ext2 = ".arc" ascii + condition: - uint16(0) == 0x5A4D and (all of ($string*) or 7 of ($v*)) + uint16(0) == 0x5A4D and (($loaded_modules and $language_check and $ext1 and $ext2) or (all of ($string*) or 7 of ($v*))) } From d22e17d623c9adbeca13daca3a7883bea81d53d5 Mon Sep 17 00:00:00 2001 From: Yung Binary <93540406+YungBinary@users.noreply.github.com> Date: Fri, 10 Jan 2025 16:13:16 +0000 Subject: [PATCH 2/2] Update Arkei rule to match new samples --- data/yara/CAPE/Arkei.yar | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/data/yara/CAPE/Arkei.yar b/data/yara/CAPE/Arkei.yar index 56bf049f88e..7eff6c52021 100644 --- a/data/yara/CAPE/Arkei.yar +++ b/data/yara/CAPE/Arkei.yar @@ -35,12 +35,12 @@ rule Arkei } $language_check = { - FF 15 ?? ?? ?? ?? - 0F B7 C0 - 89 45 ?? - 81 7D ?? 3F 04 ?? ?? - 7F - } + FF 15 ?? ?? ?? ?? + 0F B7 C0 + 89 45 ?? + 81 7D ?? 3F 04 ?? ?? + 7F + } $ext1 = ".zoo" ascii $ext2 = ".arc" ascii