Fix patterns

YungBinary · YungBinary · commit 33c4f63eb54d · 2025-09-12T13:02:14.000-06:00
diff --git a/data/yara/CAPE/MonsterV2.yar b/data/yara/CAPE/MonsterV2.yar
@@ -17,5 +17,5 @@ rule MonsterV2
             E8 ?? ?? ?? ??
         }
     condition:
-        $decrypt_config
+        uint16(0) == 0x5A4D and $decrypt_config
 }
diff --git a/data/yara/CAPE/NightshadeC2.yar b/data/yara/CAPE/NightshadeC2.yar
@@ -1,14 +1,20 @@
 rule NightshadeC2
 {
-  meta:
-    author = "YungBinary"
-    description = "https://x.com/YungBinary/status/1963751038340534482"
-    hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
-    cape_type = "NightshadeC2 Payload"
-  strings:
-    $s1 = "keylog.txt" wide
-    $s2 = "--mute-audio --do-not-de-elevate" wide
-    $s3 = "MachineGuid" wide
-  condition:
-    uint16(0) == 0x5A4D and all of them
+    meta:
+        author = "YungBinary"
+        description = "https://x.com/YungBinary/status/1963751038340534482"
+        hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
+        cape_type = "NightshadeC2 Payload"
+    strings:
+        $s1 = "keylog.txt" fullword wide
+        $s2 = "\"%ws\" --mute-audio --do-not-de-elevate" fullword wide
+        $s3 = "\"%ws\" -no-deelevate" fullword wide
+        $s4 = "MachineGuid" fullword wide
+        $s5 = "www.ip-api.com" fullword wide
+        $s6 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61" fullword wide
+        $s7 = "IsabellaWine" fullword wide
+        $s8 = "Shell_TrayWnd" fullword wide
+
+    condition:
+        uint16(0) == 0x5A4D and 3 of them
 }

Original file line number	Diff line number	Diff line change
`@@ -17,5 +17,5 @@ rule MonsterV2`
`17`	`17`	`E8 ?? ?? ?? ??`
`18`	`18`	`}`
`19`	`19`	`condition:`
`20`		`- $decrypt_config`
	`20`	`+ uint16(0) == 0x5A4D and $decrypt_config`
`21`	`21`	`}`