Socks5Systemz update: detection & config extraction, parser update also required (CAPE-parsers repo)

kevoreilly · kevoreilly · commit da49cc429707 · 2025-05-23T18:05:17.000+01:00
diff --git a/analyzer/windows/data/yara/Socks5Systemz.yar b/analyzer/windows/data/yara/Socks5Systemz.yar
@@ -3,16 +3,17 @@ rule Socks5Systemz
     meta:
         author = "kevoreilly"
         description = "Socks5Systemz config extraction"
-        cape_options = "br0=user32::wsprintfA,action1=string:[esp],count=0,typestring=Socks5Systemz Config"
+        cape_options = "br0=user32::wsprintfA,br1=ntdll::sprintf,action2=string:[esp],action3=string:[esp],count=0,typestring=Socks5Systemz Config"
         packed = "9b997d0de3fe83091726919a0dc653e22f8f8b20b1bb7d0b8485652e88396f29"
     strings:
         $chunk1 = {0F B6 84 8A [4] E9 [3] (00|FF)}
         $chunk2 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk3 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk4 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk5 = {66 0F 6F 05 [4] E9 [3] (00|FF)}
-        $chunk6 = {F0 0F B1 95 [4] E9 [3] (00|FF)}
-        $chunk7 = {83 FA 04 E9 [3] (00|FF)}
+        $chunk3 = {66 0F 6F 05 [4] E9 [3] (00|FF)}
+        $chunk4 = {F0 0F B1 95 [4] E9 [3] (00|FF)}
+        $chunk5 = {83 FA 04 E9 [3] (00|FF)}
+        $chunk6 = {8A 04 8D [4] E9 [3] (00|FF)}
+        $chunk7 = {83 C4 04 83 C4 04 E9}
+        $chunk8 = {83 C2 04 87 14 24 5C E9}
     condition:
-        uint16(0) == 0x5A4D and 6 of them
+        uint16(0) == 0x5A4D and 5 of them
 }
diff --git a/changelog.md b/changelog.md
@@ -1,4 +1,5 @@
 ### [23.05.2025]
+* Socks5Systemz update: detection & config extraction, parser update also required (CAPE-parsers repo)
 * Monitor updates:
     * Trace: do not wrap GetExportNameByAddress() in try/catch and do not use StepOverRegister in BreakOnReturnCallback()
     * Debugger: fix br1 (break on return) config option parsing (config.c)
diff --git a/data/yara/CAPE/Socks5Systemz.yar b/data/yara/CAPE/Socks5Systemz.yar
@@ -8,11 +8,12 @@ rule Socks5Systemz
     strings:
         $chunk1 = {0F B6 84 8A [4] E9 [3] (00|FF)}
         $chunk2 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk3 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk4 = {0F B6 04 8D [4] E9 [3] (00|FF)}
-        $chunk5 = {66 0F 6F 05 [4] E9 [3] (00|FF)}
-        $chunk6 = {F0 0F B1 95 [4] E9 [3] (00|FF)}
-        $chunk7 = {83 FA 04 E9 [3] (00|FF)}
+        $chunk3 = {66 0F 6F 05 [4] E9 [3] (00|FF)}
+        $chunk4 = {F0 0F B1 95 [4] E9 [3] (00|FF)}
+        $chunk5 = {83 FA 04 E9 [3] (00|FF)}
+        $chunk6 = {8A 04 8D [4] E9 [3] (00|FF)}
+        $chunk7 = {83 C4 04 83 C4 04 E9}
+        $chunk8 = {83 C2 04 87 14 24 5C E9}
     condition:
-        uint16(0) == 0x5A4D and 6 of them
+        uint16(0) == 0x5A4D and 5 of them
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`### [23.05.2025]`
	`2`	`+* Socks5Systemz update: detection & config extraction, parser update also required (CAPE-parsers repo)`
`2`	`3`	`* Monitor updates:`
`3`	`4`	`* Trace: do not wrap GetExportNameByAddress() in try/catch and do not use StepOverRegister in BreakOnReturnCallback()`
`4`	`5`	`* Debugger: fix br1 (break on return) config option parsing (config.c)`