diff --git a/analyzer/windows/data/yara/Rhadamanthys.yar b/analyzer/windows/data/yara/Rhadamanthys.yar index f48d6794b2b..2d200ad6e0c 100644 --- a/analyzer/windows/data/yara/Rhadamanthys.yar +++ b/analyzer/windows/data/yara/Rhadamanthys.yar @@ -22,3 +22,15 @@ rule RhadaAnti condition: all of them } + +rule RhadUnhook +{ + meta: + cape_options = "bp0=$scan*,action0=scan:rbx,count=0,patch=$target+21:9090" + packed = "dd4af0f1888977f6d9eb820b19f4afc2a73d1c494a132ab4261498328005dda7" + strings: + $scan = {48 85 DB 0F 84 E1 00 00 00 4C 8D 44 24 70 48 8D 54 24 40 48 8B CE 44 89 7C 24 50 4C 89 64 24 40 48 C7 44 24 48 00 00 00 00 C6 44 24 54 00 FF} + $target = {4D 85 C9 48 8B C6 4A 8D 0C 1E 74 15 48 2B D8 49 2B DB 8A 04 0B 88 01 48 83 C1 01 49 83 E9 01 75 F1 5F 5E 5D 5B C3} + condition: + any of them +} diff --git a/data/html/sections/behavior.html b/data/html/sections/behavior.html index 34c88b7cf69..45280b6a050 100644 --- a/data/html/sections/behavior.html +++ b/data/html/sections/behavior.html @@ -100,7 +100,7 @@

{{process.process_name}} PID: {{process.process_id}}, Parent PID: {{p

{{process.process_name}} PID: {{process.process_id}}, Parent PID: {{process.parent_id}}, Full Path: {{process.module_path}} - {% if process.environ.CommandLine %} + {% if process.environ and process.environ.CommandLine %} , Command Line: {{ process.environ.CommandLine }} {% endif %} @@ -158,6 +158,7 @@

{{process.p Nothing to display. {% endif %} {% endif %} + {% if results.behavior and results.behavior.summary %}
Accessed Files {% if results.behavior.summary.files %} @@ -266,4 +267,5 @@

{{process.p Nothing to display. {% endif %}

+ {% endif %}