From 3837aeaf783cec5c2b2d85347556835992e31071 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Tue, 28 Oct 2025 09:49:02 -0400 Subject: [PATCH 1/4] Update AdaptixBeacon yara and add NitrogenBunnyDownloader yara --- data/yara/CAPE/AdaptixBeacon.yar | 1 - data/yara/CAPE/NitroBunnyDownloader.yar | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 data/yara/CAPE/NitroBunnyDownloader.yar diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar index efa3c297850..b6f0ada26b0 100644 --- a/data/yara/CAPE/AdaptixBeacon.yar +++ b/data/yara/CAPE/AdaptixBeacon.yar @@ -4,7 +4,6 @@ rule AdaptixBeacon author = "enzok" description = "AdaptixBeacon Payload" cape_type = "AdaptixBeacon Payload" - hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" strings: $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04} $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24} diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar new file mode 100644 index 00000000000..c878bc3fb81 --- /dev/null +++ b/data/yara/CAPE/NitroBunnyDownloader.yar @@ -0,0 +1,17 @@ +rule NitroBunnyDownloader +{ + meta: + author = "enzok" + description = "NitroBunnyDownloader" + cape_type = "NitroBunnyDownloader Payload" + hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b" + strings: + $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00} + $string1 = "X-Amz-User-Agent:" wide + $string2 = "Amz-Security-Flag:" wide + $string3 = "/cart" wide + $string4 = "Cookie: " wide + $string5 = "wishlist" wide + condition: + uint16(0) == 0x5A4D and $config and 2 of ($string*) +} \ No newline at end of file From 378edda14f9a7b02e340fcc9ffe73939b10e6761 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:13:30 -0400 Subject: [PATCH 2/4] add missing hash --- data/yara/CAPE/AdaptixBeacon.yar | 1 + 1 file changed, 1 insertion(+) diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar index b6f0ada26b0..efa3c297850 100644 --- a/data/yara/CAPE/AdaptixBeacon.yar +++ b/data/yara/CAPE/AdaptixBeacon.yar @@ -4,6 +4,7 @@ rule AdaptixBeacon author = "enzok" description = "AdaptixBeacon Payload" cape_type = "AdaptixBeacon Payload" + hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" strings: $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04} $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24} From 26d76a53b8c6601202ed596f6fafe2ac65780cd3 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:20:28 -0400 Subject: [PATCH 3/4] add missing update --- data/yara/CAPE/AdaptixBeacon.yar | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar index efa3c297850..0d507f3f0b2 100644 --- a/data/yara/CAPE/AdaptixBeacon.yar +++ b/data/yara/CAPE/AdaptixBeacon.yar @@ -6,11 +6,13 @@ rule AdaptixBeacon cape_type = "AdaptixBeacon Payload" hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" strings: - $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04} + $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04 ?? E8} $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24} $conf_3 = {E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 58 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 60 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 68} - $wininet_1 = {B9 77 00 00 00 4? 89 50 28 E8 [4] B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24} - $wininet_2 = {B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24 ?? E8 [4] B9 65 00 00 00 88 44 24} + $conf_4 = {8D ?? ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 ?? 4? 8B ?? FF ?? ?? 4? 8B ?? 48 66 ?? 89 ?? ?? EB} + $conf_5 = {48 89 ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 D9 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89 ?? 4? 89 ?? 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89} + $wininet_1 = {B9 77 00 00 00 [0-4] E8 [4] B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24} + $wininet_2 = {B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24 [0-4] E8 [4] B9 65 00 00 00 88 ?4 24} condition: 1 of ($conf_*) and 1 of ($wininet_*) } \ No newline at end of file From 3b89448abbb2516a14ced36a0f94e2ffb6991b81 Mon Sep 17 00:00:00 2001 From: enzok <7831008+enzok@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:30:13 -0400 Subject: [PATCH 4/4] Gemini nags --- data/yara/CAPE/AdaptixBeacon.yar | 2 +- data/yara/CAPE/NitroBunnyDownloader.yar | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar index 0d507f3f0b2..4e68fcc7a8a 100644 --- a/data/yara/CAPE/AdaptixBeacon.yar +++ b/data/yara/CAPE/AdaptixBeacon.yar @@ -15,4 +15,4 @@ rule AdaptixBeacon $wininet_2 = {B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24 [0-4] E8 [4] B9 65 00 00 00 88 ?4 24} condition: 1 of ($conf_*) and 1 of ($wininet_*) -} \ No newline at end of file +} diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar index c878bc3fb81..733efe3a41a 100644 --- a/data/yara/CAPE/NitroBunnyDownloader.yar +++ b/data/yara/CAPE/NitroBunnyDownloader.yar @@ -14,4 +14,4 @@ rule NitroBunnyDownloader $string5 = "wishlist" wide condition: uint16(0) == 0x5A4D and $config and 2 of ($string*) -} \ No newline at end of file +}