Static Analysis and Yara

calendar Mar 28, 2023 · 4 min read · Malware Archive Analysis  ·
Share on: linkedin copy

The below is aimed at taking static analysis further and how you can use it to create detection rules via yara.

Lets look at the sample on Malwr.com, namely https://malwr.com/analysis/ODg3YTA1ZGFlMTY3NDBmNmE5NjZhYzY0ZDg5MGQ4OWU/ uploaded on 01/05/2016

The file details are as follows:

FILE NAME gerador.exe FILE SIZE 290816 bytes FILE TYPE PE32 executable (GUI) Intel 80386, for MS Windows MD5 b919e71f9348438f9212db254270c880 SHA1 9d5f28c9d5d026b0fbc834332f32ff7e5a880bcd SHA256 b741aa9bc8dab1dd4783ea20898769b031a1641cfcb4d9c4ac42a3929fc5c6eb CRC32 AA0B2F34 SSDEEP 6144:7mcD66RRje5JGmrpQsK3FD2u270jupCJsCxCe:icD663H92zkPaCx1

PE Imphash

078683deeee217bf8224debb163055d6

Network Activity:

trancoso.sytes.net 200.181.154.51

Reviewing the strings section and other areas the following additional details may be of use in expanding this.

x_X_BLOCKMOUSE_X_x

x_X_UPDATE_X_x

x_X_PASSWORDLIST_X_x

####@####

XX--XX--XX.txt

xxxyyyzzz.dat

A search for the MD5 identified no additional analysis. A search for the Imphash identified additional samples from the last couple of months and another from over 8 months ago. The entry from 8 months ago was for the sample MD5:48d5fa67fbdea40f9fb6fba0fc03d685 and had been identified as CyberGate RAT. As the imports for this executable match a sample from 8 months ago this can be used to give an idea of how long this sample line has been operating for. This is only an indicator as this is based on public samples that other members of the public or an industry have chosen to share.

A targeted search for the communication details of IP:200[.]181[.]154[.]51 did not identify any additional samples. A targeted search of the selected strings did identify additional samples with different imphash values. A representative sample of these are bellow:

The selection of strings appears in each of the files and appears consistent across the representative sample. The item of note is that at the time of upload there did not appear to be an Anti-Virus detection. This could be due to many reasons including but not limited to lack of signatures. At the time of detection these samples may have been troublesome depending on the mitigations in place.

From the selected strings it was possible to identify a pattern across multiple samples. This pattern can be used to detect this variant allowing a mitigation to be created to reinforce Anti-Virus and other mitigations that may be in place.

A common method for this is to create a yara rule to detect this which can be straight forward. That said yara can be a powerful tool and as a result it is possible to create complicated rules also.

Yara rules have a basic structure:

rule NewSample
{
 Meta:
  Contains metadata about the rule i.e. Author,date purpose etc.
 strings:
 What is being looked for, string, hex value, byte pattern etc.
 condition:
What the rule triggers on.
}

A simple rule can be created for the identified strings above and would look something like the below.

rule CyberGateTrojan
{
 meta:
  Author = Adam Hughes
  Date = 09052016
  Version = 0.1
  Desc = Example rule not designed for production systems.
 strings:
  $string0 = _x_X_BLOCKMOUSE_X_x_
  $string1 = _x_X_UPDATE_X_x_
  $string2 = _x_X_PASSWORDLIST_X_x_
  $string3 = ####@####
  $string4 = XX--XX--XX.txt
  $string5 = xxxyyyzzz.dat
 condition:
  4 of ($string*)
}

The above rule will trigger if 4 of the strings are detected. With the rule text copied to text file with a ".yar" extension it can be run against our test samples that could be downloaded.

MD5 b919e71f9348438f9212db254270c880 gerador.exe (Analysed Sample) MD5 781cb0cdaf88979430d35585b04591b6 Sample1.exe MD5 b0baeafb75fde98913478e7b62d6ed30 Sample3.exe MD5 4f46650424d8b8903868ff7a1094921f Sample2.exe

Running yara against these samples causes the rule to fire on each sample. (yara -rm [Rule File] [path to samples])

CybergateTrojan [Author="Adam Hughes",Date="09052016",Version="0.1",Desc="Example rule not designed for production systems."] /home/User/Tools/Samples//strings.txt
CybergateTrojan [Author="Adam Hughes",Date="09052016",Version="0.1",Desc="Example rule not designed for production systems."] /home/User/Tools/Samples//gerador.exe
CybergateTrojan [Author="Adam Hughes",Date="09052016",Version="0.1",Desc="Example rule not designed for production systems."] /home/User/Tools/Samples//Sample3.exe
CybergateTrojan [Author="Adam Hughes",Date="09052016",Version="0.1",Desc="Example rule not designed for production systems."] /home/User/Tools/Samples//Sample1.exe
CybergateTrojan [Author="Adam Hughes",Date="09052016",Version="0.1",Desc="Example rule not designed for production systems."] /home/User/Tools/Samples//Sample2.exe

Rules need to be tested and refined as it is looking for a string in this instance there is an additional detection for strings.txt which is not malicious but does contain the strings we are searching for as it is the output of the strings command on the analysed sample.

With further analysis the rule could be refined to be more specific. For example focusing on the string "####@####" and conducting a binary comparison between the analysed sample and the downloaded samples the hex string was identified to persist within each file allowing the following line to be added to the rule.

 $string = {23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23}

There is also the other element which may negate the need for this level of analysis as this sample has operated for a number of years it is likely that this analysis has already been completed during this time.

(In this case it has https://github.com/Yara-Rules/rules/blob/master/malware/CyberGate.yar)

That said these are useful methods in trying to detect malicious artefacts.