Add rules

data/yara/CAPE/BlackHunt.yar

@@ -0,0 +1,17 @@
+rule BlackHunt {
+    meta:
+        author = "ditekSHen"
+        description = "Detects BlackHunt ransomware"
+        cape_type = "BlackHunt Payload"
+    strings:
+        $s1 = /#BlackHunt_(Logs|BG|Icon|Public|Private|ID|ReadMe|Update)\.(txt|jpg|ico|key|hta)/ ascii wide
+        $s2 = /-(biggame|noencrypt|netinfo|nospread)/ fullword wide
+        $s3 = "/v \"*BlackHunt\" /t REG_SZ /d" wide
+        $s4 = "/sc onstart /TN \"Windows Critical Update\" /TR \"'%s' %s\" /F" wide
+        $s5 = "/v \"DisableChangePassword\" /t REG_DWORD /d" wide
+        $s6 = "<span> %s </span>this ID (<span> %s </span>)" wide
+        $s7 = "}div.header h1 span#hunter" wide
+        $s8 = "BLACK_HUNT_MUTEX" fullword ascii
+    condition:
+        uint16(0) == 0x5a4d and 4 of them
+}

data/yara/CAPE/MediaPI.yar

@@ -0,0 +1,18 @@
+import "pe"
+
+rule MediaPI {
+    meta:
+        author = "ditekSHen"
+        description = "Detects MediaPI"
+        cape_type = "MediaPI Payload"
+    strings:
+        $s1 = "SomeFunction" ascii
+        $s2 = "\"stealth" ascii
+        $s3 = "\"ServAddr" ascii
+        $s4 = "\"ServPort" ascii
+        $s5 = "\"ServIp" ascii
+        $s6 = "\"wsaData" ascii
+        $s7 = "\"-socket" ascii
+    condition:
+        uint16(0) == 0x5a4d and pe.is_dll() and ((6 of them) or (3 of them and pe.exports("SomeFunction")))
+}

data/yara/binaries/indicator_tools.yar

@@ -1845,3 +1845,16 @@ rule INDICATOR_TOOL_ReverseSSH_Go {
     condition:
        uint16(0) == 0x5a4d and all of them
 }
+
+rule INDICATOR_TOOL_SharpGhostTask {
+    meta:
+        author = "ditekSHen"
+        description = "Detects SharpGhostTask"
+    strings:
+        $x1 = "Ghosted" wide
+        $x2 = /--target(binary|task)/ fullword wide
+        $x3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\T" wide nocase
+        $s4 = "__GhostTask|" ascii
+    condition:
+        uint16(0) == 0x5a4d and 3 of them
+}