Merge pull request #2690 from YungBinary/master

kevoreilly · web-flow · commit 7ed9de077042 · 2025-10-06T13:11:53.000+01:00
Add NightshadeC2, MonsterV2 Yara Rules
diff --git a/data/yara/CAPE/MonsterV2.yar b/data/yara/CAPE/MonsterV2.yar
@@ -0,0 +1,21 @@
+rule MonsterV2
+{
+    meta:
+        author = "doomedraven,YungBinary"
+        description = "MonsterV2 Payload"
+        cape_type = "MonsterV2 Payload"
+        packed = "fe69e8db634319815270aa0e55fe4b9c62ce8e62484609c3a42904fbe5bb2ab3"
+    strings:
+        $decrypt_config = {
+            41 B8 0E 04 00 00
+            48 8D 15 ?? ?? ?? 00
+            48 8B C?
+            E8 ?? ?? ?? ?? [3-17]
+            4C 8B C?
+            48 8D 54 24 28
+            48 8B CE
+            E8 ?? ?? ?? ??
+        }
+    condition:
+        uint16(0) == 0x5A4D and $decrypt_config
+}
diff --git a/data/yara/CAPE/NightshadeC2.yar b/data/yara/CAPE/NightshadeC2.yar
@@ -0,0 +1,20 @@
+rule NightshadeC2
+{
+    meta:
+        author = "YungBinary"
+        description = "NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482"
+        hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
+        cape_type = "NightshadeC2 Payload"
+    strings:
+        $s1 = "keylog.txt" fullword wide
+        $s2 = "\"%ws\" --mute-audio --do-not-de-elevate" fullword wide
+        $s3 = "\"%ws\" -no-deelevate" fullword wide
+        $s4 = "MachineGuid" fullword wide
+        $s5 = "www.ip-api.com" fullword wide
+        $s6 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61" fullword wide
+        $s7 = "IsabellaWine" fullword wide
+        $s8 = "Shell_TrayWnd" fullword wide
+
+    condition:
+        uint16(0) == 0x5A4D and 3 of them
+}
diff --git a/installer/kvm-qemu.sh b/installer/kvm-qemu.sh
@@ -918,13 +918,13 @@ function install_qemu() {
                     make -j"$(nproc)" install
                 fi
                 # hack for libvirt/virt-manager
-                if [ ! -f /usr/bin/qemu-system-x86_64-spice ]; then
+                if [ ! -L /usr/bin/qemu-system-x86_64-spice ]; then
                     ln -s /usr/bin/qemu-system-x86_64 /usr/bin/qemu-system-x86_64-spice
                 fi
-                if [ ! -f /usr/bin/kvm-spice ]; then
+                if [ ! -L /usr/bin/kvm-spice ]; then
                     ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm-spice
                 fi
-                if [ ! -f /usr/bin/kvm ]; then
+                if [ ! -L /usr/bin/kvm ]; then
                     ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm
                 fi
                 if  [ $? -eq 0 ]; then
@@ -976,6 +976,7 @@ function install_seabios() {
         # Windows 10(latest rev.) is uninstallable without ACPI_DSDT
         # sed -i 's/CONFIG_ACPI_DSDT=y/CONFIG_ACPI_DSDT=n/g' .config
         if PIP_BREAK_SYSTEM_PACKAGES=1 make -j "$(nproc)"; then
+            mkdir -p /usr/share/qemu
             echo '[+] Replacing old bios.bin to new out/bios.bin'
             bios=0
             SHA256_BIOS=$(shasum -a 256 out/bios.bin|awk '{print $1}')
