notareverser · January 28, 2022 13:03
diff --git a/A #100DaysOfYARA story b/A #100DaysOfYARA story
 Let's do something a little different today and talk about WHY we use YARA signatures.
 I'm going to do this by walking through an example.
 If you want to play along, I've put all my #100DaysofYARA rules here

 https://gist.github.com/notareverser/d5f4f0d09285edca3ec027534c233271


 I was doing something unrelated and happened across this file:

 Filename:     b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 MD5:          b1fcc3a7ca7a4829a9f9ce636b784656
 SHA1:         f11de3d52315ecc63adf250ffae1ee88c4058ef5
 SHA256:       122f19bca73e63e74fb3454843010224229796b21981508fac4f538b38dc4b1f
 Size:         1856972
 File magic:   PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
 File MIME:    application/x-dosexec
 Compile time: 2007-08-17 12:43:04 [46c597d8]


 As an aside, it's a good idea to always name your files based on where you got them,
 in case you have sharing restrictions or other considerations.


 As I obtain sets of files, I will generally triage them by running all my YARA rules
 against them. This will give me an idea of what I'm up against, or possibly even the
 identity of the file I'm looking at, in case I have some downstream capability against
 a particular malware family (e.g. a configuration dumper). Let's do that here:

 $ yara -w /tmp/rules.yara .
 ASPack_PE ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 ARGS_socket_TCPIP ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 VB ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 OverlayMZ ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal

 Let's get a few more details:

 $ yara -w /tmp/rules.yara . -s
 ASPack_PE ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 0x5201:$unpackStub: 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF
 ARGS_socket_TCPIP ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 0xa9b8f:$c_abs: 6A 06 6A 01 6A 02 FF 15 70 F4 47 00
 VB ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 0x18e0:$m: VB5!
 OverlayMZ ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
 0x0:$mz: 4D 5A 90
 0x5826:$mz: 4D 5A 90
 0x6c02:$mz: 4D 5A 90
 0xa415:$mz: 4D 5A 90
 0xfdff:$mz: 4D 5A 90
 0x1cfff:$mz: 4D 5A 90
 0x23dfe:$mz: 4D 5A 90
 0x28f7d:$mz: 4D 5A 90
 0x3578f:$mz: 4D 5A 90
 0x59ede:$mz: 4D 5A 90
 0x9f185:$mz: 4D 5A 90
 0x15550c:$mz: 4D 5A 90


 Already I can start to fill in what's happening here.

 - I've got what looks like several PE files.
 - I've got an ASPack unpacking stub within what looks like the boundaries of
 the outer file. I will probably need to go find my unpacking scripts for ASPack.
 - The outer file is likely Visual Basic, so I'll need to dig out my processing
 scripts to re-create all the VB structures.
 - At least one of the programs pushes the arguments to socket() to establish a
 TCP/IP connection, so it is possible that if I run this file there may be network
 traffic, which means it may be valuable to perform dynamic analysis in a networked
 analysis VM.


 OK cool, so what?


 What I've been able to do is make decisions, and further, I have reasonable evidence
 to support those decisions. I have some candidate behaviors that are implied, such
 as dropping and/or loading additional files. This means I have good code to look for
 by means of API call patterns, and am going to want to pay attention to WriteFile events
 if I'm using something like ProcMon. It wouldn't be unreasonable to manually carve out
 all the PE payloads starting from the end, although the hashes and inter-relationships
 would be suspicious at best, likely just wrong. Most importantly, I can reason about
 the various features of this program, so that I can write them down in case I ever
 see them again. What's the best way to write them down? A YARA signature, natch.

 rule VBVirus_FileInfector
 {
   strings:
      $checkLengthOfVirusFile = {c7 45 fc 01 00 00 00 c7 45 fc 02 00 00 00 6a ff ff 15 ?? ?? ?? ?? c7 45 fc 03 00 00 00 66 c7 45 c4 00 00 c7 45 fc 04 00 00 00 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8b c8 ff 15}
      $virusFilename = "c:\vbvirus\ownerprotect.ptt" wide
   condition:
      all of them
 }

 <insert some VT pivoting here>


 $ yara /tmp/vb.yara .
 VBVirus ./810925885924a529cb14f4b6288ce1f3.virustotal
 VBVirus ./7f5c59d770b0a747540c32a2e785a8b7.virustotal
 VBVirus ./92759e7046ece6781039b698fbeff394.virustotal
 VBVirus ./76ba9f965965f9a906717da6396e124e.virustotal
 VBVirus ./7890e10505d8f534ccac0cb073dd3d6a.virustotal
 VBVirus ./764ce923e0421c3e8cd60012ec491fc7.virustotal
 VBVirus ./b77e9c4355cb67c429e9c420e46d0acc.virustotal
 VBVirus ./028a4f86600da190dab6c7974de003c9.virustotal
 VBVirus ./b859c87a7c5956a23d4d9f475d512aa6.virustotal
 VBVirus ./7249915fe916e1c6da09e0d29aef3f88.virustotal
 VBVirus ./bfcb5f062c66726494545876cd57c82b.virustotal
 VBVirus ./9ece95fb513358b1f0ca92e24aa7d56a.virustotal
 VBVirus ./80a830470e5eb7a17d7a91f53808a0ca.virustotal
 VBVirus ./cb4fd8341bbefacf36da70620974f838.virustotal
 VBVirus ./874063d9c5902b6e4961b17f830fc872.virustotal
 VBVirus ./7c8b0e7c4a3eec38480291d67c3b49af.virustotal
 VBVirus ./6f5e7b54bae3475a6dec2978a2ea6187.virustotal
 VBVirus ./789d70ad0168d25bce8b368d3715fa28.virustotal
 VBVirus ./758a8bf8be2d08f09724ee7d520b4f9e.virustotal
 VBVirus ./8853c036e26ba46eeaef5022b312180b.virustotal

 In this way, we can see that using a combination of specific and general YARA signatures lets you effectively
 triage new files, grow your repository of knowledge and capabliity, and develops habits of writing down
 things as you learn them in a useful way.

 I hope you liked this brief story. If you did, retweet the tweet I posted it in and share!
	Let's do something a little different today and talk about WHY we use YARA signatures.
	I'm going to do this by walking through an example.
	If you want to play along, I've put all my #100DaysofYARA rules here

	https://gist.github.com/notareverser/d5f4f0d09285edca3ec027534c233271


	I was doing something unrelated and happened across this file:

	Filename: b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	MD5: b1fcc3a7ca7a4829a9f9ce636b784656
	SHA1: f11de3d52315ecc63adf250ffae1ee88c4058ef5
	SHA256: 122f19bca73e63e74fb3454843010224229796b21981508fac4f538b38dc4b1f
	Size: 1856972
	File magic: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
	File MIME: application/x-dosexec
	Compile time: 2007-08-17 12:43:04 [46c597d8]


	As an aside, it's a good idea to always name your files based on where you got them,
	in case you have sharing restrictions or other considerations.


	As I obtain sets of files, I will generally triage them by running all my YARA rules
	against them. This will give me an idea of what I'm up against, or possibly even the
	identity of the file I'm looking at, in case I have some downstream capability against
	a particular malware family (e.g. a configuration dumper). Let's do that here:

	$ yara -w /tmp/rules.yara .
	ASPack_PE ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	ARGS_socket_TCPIP ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	VB ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	OverlayMZ ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal

	Let's get a few more details:

	$ yara -w /tmp/rules.yara . -s
	ASPack_PE ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	0x5201:$unpackStub: 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF
	ARGS_socket_TCPIP ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	0xa9b8f:$c_abs: 6A 06 6A 01 6A 02 FF 15 70 F4 47 00
	VB ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	0x18e0:$m: VB5!
	OverlayMZ ./b1fcc3a7ca7a4829a9f9ce636b784656.virustotal
	0x0:$mz: 4D 5A 90
	0x5826:$mz: 4D 5A 90
	0x6c02:$mz: 4D 5A 90
	0xa415:$mz: 4D 5A 90
	0xfdff:$mz: 4D 5A 90
	0x1cfff:$mz: 4D 5A 90
	0x23dfe:$mz: 4D 5A 90
	0x28f7d:$mz: 4D 5A 90
	0x3578f:$mz: 4D 5A 90
	0x59ede:$mz: 4D 5A 90
	0x9f185:$mz: 4D 5A 90
	0x15550c:$mz: 4D 5A 90


	Already I can start to fill in what's happening here.

	- I've got what looks like several PE files.
	- I've got an ASPack unpacking stub within what looks like the boundaries of
	the outer file. I will probably need to go find my unpacking scripts for ASPack.
	- The outer file is likely Visual Basic, so I'll need to dig out my processing
	scripts to re-create all the VB structures.
	- At least one of the programs pushes the arguments to socket() to establish a
	TCP/IP connection, so it is possible that if I run this file there may be network
	traffic, which means it may be valuable to perform dynamic analysis in a networked
	analysis VM.


	OK cool, so what?


	What I've been able to do is make decisions, and further, I have reasonable evidence
	to support those decisions. I have some candidate behaviors that are implied, such
	as dropping and/or loading additional files. This means I have good code to look for
	by means of API call patterns, and am going to want to pay attention to WriteFile events
	if I'm using something like ProcMon. It wouldn't be unreasonable to manually carve out
	all the PE payloads starting from the end, although the hashes and inter-relationships
	would be suspicious at best, likely just wrong. Most importantly, I can reason about
	the various features of this program, so that I can write them down in case I ever
	see them again. What's the best way to write them down? A YARA signature, natch.

	rule VBVirus_FileInfector
	{
	strings:
	$checkLengthOfVirusFile = {c7 45 fc 01 00 00 00 c7 45 fc 02 00 00 00 6a ff ff 15 ?? ?? ?? ?? c7 45 fc 03 00 00 00 66 c7 45 c4 00 00 c7 45 fc 04 00 00 00 68 ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 8b c8 ff 15}
	$virusFilename = "c:\vbvirus\ownerprotect.ptt" wide
	condition:
	all of them
	}

	<insert some VT pivoting here>


	$ yara /tmp/vb.yara .
	VBVirus ./810925885924a529cb14f4b6288ce1f3.virustotal
	VBVirus ./7f5c59d770b0a747540c32a2e785a8b7.virustotal
	VBVirus ./92759e7046ece6781039b698fbeff394.virustotal
	VBVirus ./76ba9f965965f9a906717da6396e124e.virustotal
	VBVirus ./7890e10505d8f534ccac0cb073dd3d6a.virustotal
	VBVirus ./764ce923e0421c3e8cd60012ec491fc7.virustotal
	VBVirus ./b77e9c4355cb67c429e9c420e46d0acc.virustotal
	VBVirus ./028a4f86600da190dab6c7974de003c9.virustotal
	VBVirus ./b859c87a7c5956a23d4d9f475d512aa6.virustotal
	VBVirus ./7249915fe916e1c6da09e0d29aef3f88.virustotal
	VBVirus ./bfcb5f062c66726494545876cd57c82b.virustotal
	VBVirus ./9ece95fb513358b1f0ca92e24aa7d56a.virustotal
	VBVirus ./80a830470e5eb7a17d7a91f53808a0ca.virustotal
	VBVirus ./cb4fd8341bbefacf36da70620974f838.virustotal
	VBVirus ./874063d9c5902b6e4961b17f830fc872.virustotal
	VBVirus ./7c8b0e7c4a3eec38480291d67c3b49af.virustotal
	VBVirus ./6f5e7b54bae3475a6dec2978a2ea6187.virustotal
	VBVirus ./789d70ad0168d25bce8b368d3715fa28.virustotal
	VBVirus ./758a8bf8be2d08f09724ee7d520b4f9e.virustotal
	VBVirus ./8853c036e26ba46eeaef5022b312180b.virustotal

	In this way, we can see that using a combination of specific and general YARA signatures lets you effectively
	triage new files, grow your repository of knowledge and capabliity, and develops habits of writing down
	things as you learn them in a useful way.

	I hope you liked this brief story. If you did, retweet the tweet I posted it in and share!