diff --git a/analyzer/windows/dll/capemon.dll b/analyzer/windows/dll/capemon.dll index 3c8eede5766..a8aebabb60b 100755 Binary files a/analyzer/windows/dll/capemon.dll and b/analyzer/windows/dll/capemon.dll differ diff --git a/analyzer/windows/dll/capemon_x64.dll b/analyzer/windows/dll/capemon_x64.dll index 8f8d60e9cd8..ce5ae64d78e 100755 Binary files a/analyzer/windows/dll/capemon_x64.dll and b/analyzer/windows/dll/capemon_x64.dll differ diff --git a/changelog.md b/changelog.md index bf380f4b69c..ac95778695f 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,6 @@ +### [06.10.2025] +* Monitor update: Improve debugger breakpoint protection, fixes instruction counting anti-debug detection in CheckPoint ShowStopper (thanks @cccs-mog) + ### [03.10.2025] * Monitor update: Fix issue with hook_restore config setting being ignored (fixes #2715 - thanks @federicofantini) diff --git a/data/yara/CAPE/MonsterV2.yar b/data/yara/CAPE/MonsterV2.yar new file mode 100644 index 00000000000..b3ef952e1d4 --- /dev/null +++ b/data/yara/CAPE/MonsterV2.yar @@ -0,0 +1,21 @@ +rule MonsterV2 +{ + meta: + author = "doomedraven,YungBinary" + description = "MonsterV2 Payload" + cape_type = "MonsterV2 Payload" + packed = "fe69e8db634319815270aa0e55fe4b9c62ce8e62484609c3a42904fbe5bb2ab3" + strings: + $decrypt_config = { + 41 B8 0E 04 00 00 + 48 8D 15 ?? ?? ?? 00 + 48 8B C? + E8 ?? ?? ?? ?? [3-17] + 4C 8B C? + 48 8D 54 24 28 + 48 8B CE + E8 ?? ?? ?? ?? + } + condition: + uint16(0) == 0x5A4D and $decrypt_config +} diff --git a/data/yara/CAPE/NightshadeC2.yar b/data/yara/CAPE/NightshadeC2.yar new file mode 100644 index 00000000000..b62bc519c14 --- /dev/null +++ b/data/yara/CAPE/NightshadeC2.yar @@ -0,0 +1,20 @@ +rule NightshadeC2 +{ + meta: + author = "YungBinary" + description = "NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482" + hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d" + cape_type = "NightshadeC2 Payload" + strings: + $s1 = "keylog.txt" fullword wide + $s2 = "\"%ws\" --mute-audio --do-not-de-elevate" fullword wide + $s3 = "\"%ws\" -no-deelevate" fullword wide + $s4 = "MachineGuid" fullword wide + $s5 = "www.ip-api.com" fullword wide + $s6 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61" fullword wide + $s7 = "IsabellaWine" fullword wide + $s8 = "Shell_TrayWnd" fullword wide + + condition: + uint16(0) == 0x5A4D and 3 of them +} diff --git a/installer/kvm-qemu.sh b/installer/kvm-qemu.sh index 7ce6f3db773..81a9014c0f0 100755 --- a/installer/kvm-qemu.sh +++ b/installer/kvm-qemu.sh @@ -918,13 +918,13 @@ function install_qemu() { make -j"$(nproc)" install fi # hack for libvirt/virt-manager - if [ ! -f /usr/bin/qemu-system-x86_64-spice ]; then + if [ ! -L /usr/bin/qemu-system-x86_64-spice ]; then ln -s /usr/bin/qemu-system-x86_64 /usr/bin/qemu-system-x86_64-spice fi - if [ ! -f /usr/bin/kvm-spice ]; then + if [ ! -L /usr/bin/kvm-spice ]; then ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm-spice fi - if [ ! -f /usr/bin/kvm ]; then + if [ ! -L /usr/bin/kvm ]; then ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm fi if [ $? -eq 0 ]; then @@ -976,6 +976,7 @@ function install_seabios() { # Windows 10(latest rev.) is uninstallable without ACPI_DSDT # sed -i 's/CONFIG_ACPI_DSDT=y/CONFIG_ACPI_DSDT=n/g' .config if PIP_BREAK_SYSTEM_PACKAGES=1 make -j "$(nproc)"; then + mkdir -p /usr/share/qemu echo '[+] Replacing old bios.bin to new out/bios.bin' bios=0 SHA256_BIOS=$(shasum -a 256 out/bios.bin|awk '{print $1}')