Merge pull request #2626 from enzok/enzok-patch-1

kevoreilly · web-flow · commit 22bc73a8327a · 2025-06-18T13:50:58.000+01:00
fix NitrogenLoader.yar remove wild card byte
diff --git a/analyzer/windows/data/yara/NitrogenLoader.yar b/analyzer/windows/data/yara/NitrogenLoader.yar
@@ -45,7 +45,7 @@ rule NitrogenLoaderConfig
     meta:
         author = "enzok"
         description = "NitrogenLoader Config Extraction"
-        cape_options = "bp0=$decrypt1*+1,bp1=$key*-4,hc=1,count=0,action0=string:rcx,action1=string:rdx,typestring=NitrogenLoader Config"
+        cape_options = "bp0=$decrypt1*+1,bp1=$key*,hc0=1,count=0,action0=string:rcx,action1=string:rdx,typestring=NitrogenLoader Config"
     strings:
         $decrypt1 = {48 63 4? 24 ?? 33 D2 48 [0-3] F7 B4 24 [4] 48 8B C2 48 8B 8C 24 [4] 0F BE 04 01}
         $decrypt2 = {8B ?? 24 [1-4] 33 C8 8B C1 48 63 4C 24 ?? 48 8B 94 24 [4] 88 04 0A}
diff --git a/data/yara/CAPE/NitrogenLoader.yar b/data/yara/CAPE/NitrogenLoader.yar
@@ -24,7 +24,7 @@ rule NitrogenLoader
         $taskman_2 = {B9 4D 00 00 00 88 84 24 [4] E8 [4] B9 61 00 00 00 88 84 24 [4] E8 [4] B9 6E 00 00 00 88 84 24 [4] E8 [3] FF}
         $taskman_3 = {B9 61 00 00 00 88 84 24 [4] E8 [4] B9 67 00 00 00 88 84 24 [4] E8 [4] B9 65 00 00 00 88 84 24 [4] E8 [3] FF}
         $taskman_4 = {B9 72 00 00 00 88 84 24 [4] E8 [4] 31 C9 88 84 24 [4] E8 [3] FF}
-        $rc4decrypt_1 = {48 89 ?? 48 89 ?? E8 [4] 48 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 89 EA E8 [4] 48 89 ??}
+        $rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}
         $rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}
     condition:
         (2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or (3 of ($taskman_*) and all of ($rc4decrypt_*))
