Skip to content

Commit 5d15ec1

Browse files
kevoreillykevoreilly
authored
Merge pull request #2650 from enzok/patch-enzo-1
update nitrogenloader
2 parents b7524c4 + fa4b09a commit 5d15ec1

File tree

3 files changed

+12
-4
lines changed

3 files changed

+12
-4
lines changed

analyzer/windows/data/yara/NitrogenLoader.yar

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,12 @@ rule NitrogenLoaderConfig
5555
$taskman_2 = {B9 4D 00 00 00 88 84 24 [4] E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 6E 00 00 00 88 84 24 [4] E8 [3] FF}
5656
$taskman_3 = {B9 61 00 00 00 88 84 24 [4] E8 [4] B9 67 00 00 00 88 84 24 [4] E8 [4] B9 65 00 00 00 88 84 24 [4] E8 [3] FF}
5757
$taskman_4 = {B9 72 00 00 00 88 84 24 [4] E8 [4] 31 C9 88 84 24 [4] E8 [3] FF}
58-
$rc4decrypt_1 = {48 89 ?? 48 89 ?? E8 [4] 48 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 89 EA E8 [4] 48 89}
58+
$installers_1 = {B9 49 00 00 00 E8 [4] B9 6E 00 00 00 88 84 24 [4] E8 [4] B9 73 00 00 00 88 84 24 [4] E8 [3] FF}
59+
$installers_2 = {B9 74 00 00 00 88 84 24 [4] E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 6C 00 00 00 88 84 24 [4] E8 [3] FF}
60+
$installers_3 = {B9 6C 00 00 00 88 84 24 [4] E8 [4] B9 65 00 00 00 88 84 24 [4] E8 [3] FF}
61+
$installers_4 = {B9 72 00 00 00 88 84 24 [4] E8 [4] B9 73 00 00 00 88 84 24 [4] E8 [3] FF}
62+
$rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}
5963
$rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}
6064
condition:
61-
any of ($decrypt*) or ($key and (3 of ($taskman_*) and 1 of ($rc4decrypt_*)))
65+
any of ($decrypt*) or ($key and (3 of ($taskman_*) or 3 of ($installers*) and 1 of ($rc4decrypt_*)))
6266
}

data/yara/CAPE/NitrogenLoader.yar

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,12 @@ rule NitrogenLoader
2424
$taskman_2 = {B9 4D 00 00 00 88 84 24 [4] E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 6E 00 00 00 88 84 24 [4] E8 [3] FF}
2525
$taskman_3 = {B9 61 00 00 00 88 84 24 [4] E8 [4] B9 67 00 00 00 88 84 24 [4] E8 [4] B9 65 00 00 00 88 84 24 [4] E8 [3] FF}
2626
$taskman_4 = {B9 72 00 00 00 88 84 24 [4] E8 [4] 31 C9 88 84 24 [4] E8 [3] FF}
27+
$installers_1 = {B9 49 00 00 00 E8 [4] B9 6E 00 00 00 88 84 24 [4] E8 [4] B9 73 00 00 00 88 84 24 [4] E8 [3] FF}
28+
$installers_2 = {B9 74 00 00 00 88 84 24 [4] E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 6C 00 00 00 88 84 24 [4] E8 [3] FF}
29+
$installers_3 = {B9 6C 00 00 00 88 84 24 [4] E8 [4] B9 65 00 00 00 88 84 24 [4] E8 [3] FF}
30+
$installers_4 = {B9 72 00 00 00 88 84 24 [4] E8 [4] B9 73 00 00 00 88 84 24 [4] E8 [3] FF}
2731
$rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}
2832
$rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}
2933
condition:
30-
(2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or (3 of ($taskman_*) and all of ($rc4decrypt_*))
34+
(2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*))
3135
}

tests/data

Submodule data updated 23 files

0 commit comments

Comments
 (0)