From 05e5988207ca9bfb9be387bdc876f2afc4a949c6 Mon Sep 17 00:00:00 2001 From: Yung Binary <93540406+YungBinary@users.noreply.github.com> Date: Fri, 24 Oct 2025 14:18:14 -0600 Subject: [PATCH 1/2] Add Winos4.0 and MyKings --- data/yara/CAPE/MyKings.yar | 23 +++++++++++++++++++ data/yara/CAPE/WinosStager.yar | 41 ++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 data/yara/CAPE/MyKings.yar create mode 100644 data/yara/CAPE/WinosStager.yar diff --git a/data/yara/CAPE/MyKings.yar b/data/yara/CAPE/MyKings.yar new file mode 100644 index 00000000000..f19219e0332 --- /dev/null +++ b/data/yara/CAPE/MyKings.yar @@ -0,0 +1,23 @@ +rule MyKings +{ + meta: + author = "YungBinary" + description = "https://x.com/YungBinary/status/1981108948498333900" + cape_type = "MyKings Payload" + strings: + $s1 = "login.php?uid=0" wide + $s2 = "download.txt?rnd=" wide + $s3 = "AcceptOK" ascii + $s4 = "winsta0\\default" wide + $s5 = "base64_ip.txt" wide + $s6 = { 70 00 6F 00 77 00 65 00 72 00 74 00 6F 00 6F 00 6C 00 00 00 6B 00 61 00 73 00 70 00 65 00 72 00 73 00 6B 00 79 } + $s7 = { 53 00 61 00 66 00 65 00 00 00 00 00 45 00 73 00 65 00 74 } + $s8 = { 4E 00 6F 00 64 00 33 00 32 00 00 00 4D 00 61 00 6C 00 77 00 61 00 72 00 65 } + $s9 = "Custom C++ HTTP Client/1.0" wide + $s10 = "/ru \"SYSTEM\" /f" ascii + $s11 = "cmd.exe /C timeout /t 1 & del " wide + $s12 = "/login.aspx?uid=0" wide + $s13 = "Y21kMS5jbWQtMjMwODEyLnJ1Oj" ascii + condition: + uint16(0) == 0x5a4d and (3 of ($s*)) +} diff --git a/data/yara/CAPE/WinosStager.yar b/data/yara/CAPE/WinosStager.yar new file mode 100644 index 00000000000..8bcf6143b1f --- /dev/null +++ b/data/yara/CAPE/WinosStager.yar @@ -0,0 +1,41 @@ +rule WinosStager +{ + meta: + author = "YungBinary" + description = "https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign" + cape_type = "WinosStager Payload" + strings: + $s1 = "Windows\\SysWOW64\\tracerpt.exe" ascii fullword + $s2 = "Windows\\System32\\tracerpt.exe" ascii fullword + $s3 = { 70 00 31 00 3A 00 00 00 } + $s4 = { 6F 00 31 00 3A 00 00 00 } + $s5 = { 70 00 32 00 3A 00 00 00 } + $s6 = { 6F 00 32 00 3A 00 00 00 } + $s7 = { 70 00 33 00 3A 00 00 00 } + $s8 = { 6F 00 33 00 3A 00 00 00 } + $s9 = "IpDates_info" wide fullword + $s10 = "%s-%04d%02d%02d-%02d%02d%02d.dmp" wide fullword + $s11 = "Console\\0" wide fullword + $s12 = "d33f351a4aeea5e608853d1a56661059" wide fullword + + $config_parse = { + (3B CE | 7D ??) // cmp ecx, esi or jge short loc_?????? + (7D ?? | 0F 1F ?? 00) // jge short loc_?????? or nop dword ptr [??+00h] + (66 83 3C 4D ?? ?? ?? ?? 7C | 66 41 83 ?? ?? 7C) // cmp ??, 7Ch ; '|' + 74 ?? // jz short loc_?????? + (41 | 48 FF C1) // inc ecx or inc rcx + (3B CE | FF C2) // cmp ecx, esi or inc edx + (7C ?? | 49 3B CB 7C ??) // jl loc_?????? | cmp rcx, r11, jl short loc_?????? + } + $zero_config = { + FF [1-5] // call + 83 (7C|7D) [1-2] 0A // cmp [ebp+??], 0Ah + 0F 86 ?? ?? ?? ?? // jbe loc_?????? + (68 D0 07 00 00 | 33 D2) // push 7D0h or xor edx,edx + (6A 00 | 41 B8 D0 07 00 00) // push 0 or mov r8d, 0x7D0 + (68 ?? ?? ?? ?? | 48 8B CD) // push offset wszConfig or mov rcx, rbp + E8 // call + } + condition: + uint16(0) == 0x5a4d and ((3 of ($s*)) or ($config_parse or $zero_config)) +} From 035b42136a4337906a3d862b6448cd5f60851c8f Mon Sep 17 00:00:00 2001 From: Yung Binary <93540406+YungBinary@users.noreply.github.com> Date: Sun, 26 Oct 2025 12:43:39 -0600 Subject: [PATCH 2/2] base64 string --- data/yara/CAPE/MyKings.yar | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/yara/CAPE/MyKings.yar b/data/yara/CAPE/MyKings.yar index f19219e0332..52362e71a45 100644 --- a/data/yara/CAPE/MyKings.yar +++ b/data/yara/CAPE/MyKings.yar @@ -17,7 +17,7 @@ rule MyKings $s10 = "/ru \"SYSTEM\" /f" ascii $s11 = "cmd.exe /C timeout /t 1 & del " wide $s12 = "/login.aspx?uid=0" wide - $s13 = "Y21kMS5jbWQtMjMwODEyLnJ1Oj" ascii - condition: + $s13 = "cmd-230812.ru" base64 + condition: uint16(0) == 0x5a4d and (3 of ($s*)) }