CAPESandbox · doomedraven · Jan 23, 2024 · Jan 23, 2024
diff --git a/data/yara/CAPE/UPX.yar → data/yara/CAPE/deprecated/UPX.yar b/data/yara/CAPE/UPX.yar → data/yara/CAPE/deprecated/UPX.yar
diff --git a/data/yara/CAPE/deprecated/embedded.yar b/data/yara/CAPE/deprecated/embedded.yar
@@ -0,0 +1,39 @@
+rule embedded_pe
+{
+    meta:
+        author = "nex"
+        description = "Contains an embedded PE32 file"
+
+    strings:
+        $a = "PE32"
+        $b = "This program"
+        $mz = { 4d 5a }
+    condition:
+        ($a or $b) and not ($mz at 0)
+}
+
+rule embedded_win_api
+{
+    meta:
+        author = "nex"
+        description = "A non-Windows executable contains win32 API functions names"
+
+    strings:
+        $mz = { 4d 5a }
+        $api1 = "CreateFileA"
+        $api2 = "GetProcAddress"
+        $api3 = "LoadLibraryA"
+        $api4 = "WinExec"
+        $api5 = "GetSystemDirectoryA"
+        $api6 = "WriteFile"
+        $api7 = "ShellExecute"
+        $api8 = "GetWindowsDirectory"
+        $api9 = "URLDownloadToFile"
+        $api10 = "IsBadReadPtr"
+        $api11 = "IsBadWritePtr"
+        $api12 = "SetFilePointer"
+        $api13 = "GetTempPath"
+        $api14 = "GetWindowsDirectory"
+    condition:
+        not ($mz at 0) and any of ($api*)
+}
diff --git a/data/yara/CAPE/deprecated/shellcodes.yar b/data/yara/CAPE/deprecated/shellcodes.yar
@@ -0,0 +1,43 @@
+rule shellcode_patterns
+{
+    meta:
+        author = "nex"
+        description = "Matched shellcode byte patterns"
+
+    strings:
+        $mz = { 4d 5a }
+        $shell1 = { 64 8b 64 }
+        $shell2 = { 64 a1 30 }
+        $shell3 = { 64 8b 15 30 }
+        $shell4 = { 64 8b 35 30 }
+        $shell5 = { 55 8b ec 83 c4 }
+        $shell6 = { 55 8b ec 81 ec }
+        $shell7 = { 55 8b ec e8 }
+        $shell8 = { 55 8b ec e9 }
+    condition:
+        not ($mz at 0) and
+        any of ($shell*)
+}
+
+rule shellcode_get_eip
+{
+    meta:
+        author = "William Ballenthin"
+        email = "william.ballenthin@fireeye.com"
+        license = "Apache 2.0"
+        copyright = "FireEye, Inc"
+        description = "Match x86 that appears to fetch $PC."
+
+    strings:
+       // 0:  e8 00 00 00 00          call   5 <_main+0x5>
+       // 5:  58                      pop    eax
+       // 6:  5b                      pop    ebx
+       // 7:  59                      pop    ecx
+       // 8:  5a                      pop    edx
+       // 9:  5e                      pop    esi
+       // a:  5f                      pop    edi
+       $x86 = { e8 00 00 00 00 (58 | 5b | 59 | 5a | 5e | 5f) }
+
+    condition:
+       $x86
+}
diff --git a/data/yara/binaries/embedded.yar b/data/yara/binaries/embedded.yar
@@ -15,43 +15,3 @@ rule embedded_macho
     condition:
         any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0)
 }
-
-rule embedded_pe
-{
-    meta:
-        author = "nex"
-        description = "Contains an embedded PE32 file"
-
-    strings:
-        $a = "PE32"
-        $b = "This program"
-        $mz = { 4d 5a }
-    condition:
-        ($a or $b) and not ($mz at 0)
-}
-
-rule embedded_win_api
-{
-    meta:
-        author = "nex"
-        description = "A non-Windows executable contains win32 API functions names"
-
-    strings:
-        $mz = { 4d 5a }
-        $api1 = "CreateFileA"
-        $api2 = "GetProcAddress"
-        $api3 = "LoadLibraryA"
-        $api4 = "WinExec"
-        $api5 = "GetSystemDirectoryA"
-        $api6 = "WriteFile"
-        $api7 = "ShellExecute"
-        $api8 = "GetWindowsDirectory"
-        $api9 = "URLDownloadToFile"
-        $api10 = "IsBadReadPtr"
-        $api11 = "IsBadWritePtr"
-        $api12 = "SetFilePointer"
-        $api13 = "GetTempPath"
-        $api14 = "GetWindowsDirectory"
-    condition:
-        not ($mz at 0) and any of ($api*)
-}
diff --git a/data/yara/binaries/shellcodes.yar b/data/yara/binaries/shellcodes.yar
@@ -2,50 +2,6 @@
 // This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 // See the file 'docs/LICENSE' for copying permission.
 
-rule shellcode_patterns
-{
-    meta:
-        author = "nex"
-        description = "Matched shellcode byte patterns"
-
-    strings:
-        $mz = { 4d 5a }
-        $shell1 = { 64 8b 64 }
-        $shell2 = { 64 a1 30 }
-        $shell3 = { 64 8b 15 30 }
-        $shell4 = { 64 8b 35 30 }
-        $shell5 = { 55 8b ec 83 c4 }
-        $shell6 = { 55 8b ec 81 ec }
-        $shell7 = { 55 8b ec e8 }
-        $shell8 = { 55 8b ec e9 }
-    condition:
-        not ($mz at 0) and
-        any of ($shell*)
-}
-
-rule shellcode_get_eip
-{
-    meta:
-        author = "William Ballenthin"
-        email = "william.ballenthin@fireeye.com"
-        license = "Apache 2.0"
-        copyright = "FireEye, Inc"
-        description = "Match x86 that appears to fetch $PC."
-
-    strings:
-       // 0:  e8 00 00 00 00          call   5 <_main+0x5>
-       // 5:  58                      pop    eax
-       // 6:  5b                      pop    ebx
-       // 7:  59                      pop    ecx
-       // 8:  5a                      pop    edx
-       // 9:  5e                      pop    esi
-       // a:  5f                      pop    edi
-       $x86 = { e8 00 00 00 00 (58 | 5b | 59 | 5a | 5e | 5f) }
-
-    condition:
-       $x86
-}
-
 rule shellcode_peb_parsing
 {
     meta: