Merge pull request #2729 from YungBinary/master

kevoreilly · web-flow · commit 724bafc14f07 · 2025-10-29T19:51:11.000Z
Add Winos4.0 and MyKings Yara Rules
diff --git a/data/yara/CAPE/MyKings.yar b/data/yara/CAPE/MyKings.yar
@@ -0,0 +1,23 @@
+rule MyKings 
+{
+    meta:
+        author = "YungBinary"
+        description = "https://x.com/YungBinary/status/1981108948498333900"
+        cape_type = "MyKings Payload"
+    strings: 
+        $s1 = "login.php?uid=0" wide
+        $s2 = "download.txt?rnd=" wide
+        $s3 = "AcceptOK" ascii
+        $s4 = "winsta0\\default" wide
+        $s5 = "base64_ip.txt" wide
+        $s6 = { 70 00 6F 00 77 00 65 00 72 00 74 00 6F 00 6F 00 6C 00 00 00 6B 00 61 00 73 00 70 00 65 00 72 00 73 00 6B 00 79 }
+        $s7 = { 53 00 61 00 66 00 65 00 00 00 00 00 45 00 73 00 65 00 74 }
+        $s8 = { 4E 00 6F 00 64 00 33 00 32 00 00 00 4D 00 61 00 6C 00 77 00 61 00 72 00 65 }
+        $s9 = "Custom C++ HTTP Client/1.0" wide
+        $s10 = "/ru \"SYSTEM\" /f" ascii
+        $s11 = "cmd.exe /C timeout /t 1 & del " wide
+        $s12 = "/login.aspx?uid=0" wide
+        $s13 = "cmd-230812.ru" base64
+    condition:
+        uint16(0) == 0x5a4d and (3 of ($s*))
+}
diff --git a/data/yara/CAPE/WinosStager.yar b/data/yara/CAPE/WinosStager.yar
@@ -0,0 +1,41 @@
+rule WinosStager 
+{
+    meta:
+        author = "YungBinary"
+        description = "https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign"
+        cape_type = "WinosStager Payload"
+    strings: 
+        $s1 = "Windows\\SysWOW64\\tracerpt.exe" ascii fullword
+        $s2 = "Windows\\System32\\tracerpt.exe" ascii fullword
+        $s3 = { 70 00 31 00 3A 00 00 00 }
+        $s4 = { 6F 00 31 00 3A 00 00 00 }
+        $s5 = { 70 00 32 00 3A 00 00 00 }
+        $s6 = { 6F 00 32 00 3A 00 00 00 }
+        $s7 = { 70 00 33 00 3A 00 00 00 }
+        $s8 = { 6F 00 33 00 3A 00 00 00 }
+        $s9 = "IpDates_info" wide fullword
+        $s10 = "%s-%04d%02d%02d-%02d%02d%02d.dmp" wide fullword
+        $s11 = "Console\\0" wide fullword
+        $s12 = "d33f351a4aeea5e608853d1a56661059" wide fullword
+
+        $config_parse = {
+            (3B CE | 7D ??)                                  // cmp ecx, esi or jge short loc_??????
+            (7D ?? | 0F 1F ?? 00)                            // jge short loc_?????? or nop dword ptr [??+00h]
+            (66 83 3C 4D ?? ?? ?? ?? 7C | 66 41 83 ?? ?? 7C) // cmp ??, 7Ch ; '|'
+            74 ??                                            // jz short loc_??????
+            (41 | 48 FF C1)                                  // inc ecx or inc rcx
+            (3B CE | FF C2)                                  // cmp ecx, esi or inc edx
+            (7C ?? | 49 3B CB 7C ??)                         // jl loc_?????? | cmp rcx, r11, jl short loc_??????
+        }
+        $zero_config = {
+            FF [1-5]                    // call
+            83 (7C|7D) [1-2] 0A         // cmp [ebp+??], 0Ah
+            0F 86 ?? ?? ?? ??           // jbe loc_??????
+            (68 D0 07 00 00 | 33 D2)    // push 7D0h or xor edx,edx
+            (6A 00 | 41 B8 D0 07 00 00) // push 0 or mov r8d, 0x7D0
+            (68 ?? ?? ?? ?? | 48 8B CD) // push offset wszConfig or mov rcx, rbp
+            E8                          // call
+        }
+    condition: 
+        uint16(0) == 0x5a4d and ((3 of ($s*)) or ($config_parse or $zero_config))
+}
