Easy #YARA Strings #Hunting for #Malware - The Lazy Man's Way

Krishnendu Paul

May 28, 2020 2 min read

I am not your Regular #BlueTeam #YARA #Guru who is writing yara for everything everyday. But, was assigned for a task where I need to find-out a proper Yara for a specific class of new gen malwares where AV or SHA/MD5 based IOC's are not working. Even the network connections are to different domains as there are way too many variants ( Read about it more here  ) . So, I gathered around 50+ samples of same kind virus, but with lesser or zero AntiVirus detection.

Sample Detection

Then when went through YARA documentation, found that I can only block this by repeated pattern on each samples of same variant. And Yea ! you get it right - Binary Strings Never Lies !

But binary strings matching from more than 50 samples, where each files are 200kb to 900kb ! 🤯 Really tough job to get the patterns from an #undetectable. So, after few tries I came up with lazy man's way, but where you can choose actually what you want to put as a string  atleast keeping a human flavour intact, but in a super fast way. 😎

Could have done with some spaghetti code, as I am not a regular coder. But, then thought why not coming up with a Sys Admin way, rather in a coder way. So, yea - #BASH is there for #Rescue.

# YaraSilly2 ( a.k.a Yara Silly Silly ) 
# Automatically Builds Yara Rules From Malware Samples
# Just a Basic Scratch Script - Yet !
# Copyright 2020 Krishnendu Paul [email protected]
# Released under GPL3 Licence

for file in *; 
	strings $file > $file_tmp.txt
	sed -i "s/  //g" $file_tmp.txt
	awk '!seen[$0]++' $file_tmp.txt >> dump.txt
    rm $file_tmp.txt
	sed -i '/^$/d' dump.txt

sort dump.txt | uniq --count --repeated | sort > results.txt
sed -i '/^$/d' results.txt

So, put all your malware samples in a folder. Copy above script and save it to a file ( yarasilly2.sh ) . Then,  

chmod +x yarasilly2.sh

One it is finished, just open results.txt .. and Voila ! ..

root@Bidhata-X1:/mnt/c/Users/me/Desktop/TEST# cat results.txt
      2  ?.}
      2 #}`-
      2 &<>=
      2 ((((((
      2 ;{_+
      2 =*?>
      2 ?#}+
      2 @[@~
      2 @`@~
      5  !"#$%&'()*+,-./01$
      5 XYZ[\]^_`abcdefghij$
      8 \&0;
      8 5RI]
      8 7ay"+
      8 9@"J
      8 Administrator - Personal View`
      9 Administrator
      9 Calculation
      9 Check Cell
      9 [Content_Types].xml
      9 [Content_Types].xmlPK
      9 Excel 4.0 Macros

You have a handy list with the count of string occurrence in total.  Left column with number is the count of occurrence on those samples . So, more greater the number, more chances of lesser false positive. But yes, there can be regular strings as well, like for Excel files - keyword Excel obviously will be there ( Opps ! ) . So, I am living it to human part of you.

A Simple Yara Rules I generated for almost a non-detectable macro enabled XLS files which not yet have a false positive in VirusTotal live hunt.

//  Excel files with macros pushing registry and downloading malware
rule macro_downloader
	author = "KP - SwedBank"
	description = "Malware Pushing XLS detection May 2020"
    $meta_value1 =	"##0\\)"
    $meta_author	= "Administrator"
	$meta_app	= "Excel"
		all of ($meta_*) and filesize < 1MB

Do you want me to make it a more enhanced Poor Man's Yara Rules Creator based on Binary Strings ? May be, may be starting a project named #YaraSillySilly 🤫

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.