#100DaysOfYara Challenge
The 100 Days of Yara is a fun challenge created by Greg Lesnewic and inspired by the 100 Days of Code which I did couple year ago.
I’ve always found these kinds of challenges interesting because they help in building habits and learning more about specific topics. I’ll be using this page to share my #100DaysOfYara journey 🚀. While my primary goal is to practice more with Yara, I also aim to share my learning so that everyone can benefit from it 💡.
Obviously, for those familiar with these types of challenges, some days are more challenging than others, but the idea is to build this journal 📓 through this page and have fun along the way! 🎉
Feel free to follow me on this journey via Twitter or Medium to see the kind of things I’ll be sharing. 👀
More details can be found here: 100DaysofYARA/2024: Rules shared by the community from 100 Days of YARA 2024 (github.com)
Day #1: Planning and Overview
Jumping into such a big challenge can be overwhelming, so the best approach is to start with some planning and opportunities for the upcoming days. To facilitate this, I have created a mind map that provides an overview of the topics that can be discussed or explored during this challenge.
I know this mind map is not exhaustive and it can be difficult to reference everything related to YARA but I hope it also helps you by providing a better roadmap of what you can do too.
Let's the fun begin!😉
# Documentation
Official Documentation: https://yara.readthedocs.io/en/stable/#
https://support.virustotal.com/hc/en-us/articles/115002178945-YARA
https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/
https://github.com/Neo23x0/YARA-Performance-Guidelines
Yara CheatSheet: https://speakerdeck.com/fr0gger/yara-cheat-sheet
# Related Projects
YaraForge:https://cyb3rops.medium.com/introducing-yara-forge-a77cbb77dcab
YARAify: https://yaraify.abuse.ch/
Others: https://github.com/Yara-Rules
Yari: https://engineering.avast.io/yari-a-new-era-of-yara-debugging/
The Unprotect Project Yara Rules: https://unprotect.it
YARA-X: https://github.com/VirusTotal/yara-x
YaraManager: https://github.com/kevthehermit/YaraManager
YaraEditor: https://www.adlice.com/yaraeditor/
YARA TTD: https://github.com/airbus-cert/yara-ttd
YARADBG: https://yaradbg.dev/
Yara-Python: https://github.com/VirusTotal/yara-python
YARAnalyzer: https://github.com/Neo23x0/yarAnalyzer
MQuery: https://github.com/CERT-Polska/mquery
Yaramod: https://github.com/avast/yaramod
Yara Memory Scanner: https://github.com/BinaryDefense/YaraMemoryScanner
Yabin: https://github.com/AlienVault-OTX/yabin
Yara Parser: https://github.com/Northern-Lights/yara-parser
# YARA Rules Creation
Official Yara Rule Repo: https://github.com/Yara-Rules/rules
# PE File
https://yara.readthedocs.io/en/stable/modules/pe.html
Rich Header YARA: https://www.giac.org/paper/grem/6321/leveraging-pe-rich-header-static-alware-etection-linking/169729
# ELF File
https://yara.readthedocs.io/en/stable/modules/elf.html
https://github.com/tenable/yara-rules/blob/master/generic/elf_format.yar
# MachO File
https://github.com/airbnb/binaryalert/blob/master/rules/public/MachO.yara
https://notebook.community/FreeSchoolHackers/data_hacking/yara_clustering/Mach-O%20Clustering
# Other files: pdf, xls, docx, PowerShell, lnk…
https://github.com/hiddenillusion/AnalyzePDF/blob/master/pdf_rules.yara
https://blog.didierstevens.com/2023/08/29/quickpost-pdf-activemime-maldocs-yara-rule/
https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/129682/performing-suspect-power-shell-detection-with-a-yara-rule
https://github.com/ail-project/ail-yara-rules/blob/master/rules/code/powershell.yar
https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/
# Obfuscation
https://isc.sans.edu/diary/Creating+a+YARA+Rule+to+Detect+Obfuscated+Strings/30186
https://0xc0decafe.com/apihash-to-yara
https://isc.sans.edu/diary/YARA+XOR+Strings/24174
https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/
# Uncommon usage of Yara
YARA Forensic: https://github.com/Xumeiquer/yara-forensics
Pastebin with Yara: https://github.com/kevthehermit/PasteHunter
Yara Pcap: https://github.com/kevthehermit/YaraPcap
PHP Malware Finder: https://github.com/jvoisin/php-malware-finder
Fuzzing Yara: https://blog.syscall.party/2020/05/10/fuzzing-yara-for-fun-and-no-profit.html
# RE Plugins
HYARA: https://github.com/hyuunnn/Hyara
FindYara IDA: https://github.com/OALabs/findyara-ida
MKYara: https://plugins.hex-rays.com/mkyara
FLIRT Yara: https://blogs.jpcert.or.jp/en/2023/06/autoyara4flirt.html
X64DBG YaraGen: https://github.com/mrexodia/YaraGen
VT Code SImilarity YaraGen: https://github.com/arieljt/VTCodeSimilarity-YaraGenDay #2: VT Domains Hunting — Operation Triangulation
In July 2023, the VirusTotal team released a new capability for the VT module in YARA: Yara NetIOC. This feature is very interesting because it allows to track any kind of uploaded file that have relationship to a specific domain it can also be used to hunt for network scanning. (NB: this VT module is only accessible on VT Livehunt, so you need a paid subscription)
So today is a simple experiment that will use this feature and match against any new samples communicating to the domains specified. (NB: this is the first time I experiment with this module so I have no idea how it will turn but I’ll keep you posted if I have some interesting results.)
import "vt"
rule OperationTriangulation_Domain_Hunting
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysofYara - VT domain hunting for OperationTriangulation"
source = "https://securelist.com/operation-triangulation/109842/"
condition:
vt.net.domain.raw == "addatamarket.net" or
vt.net.domain.raw == "backuprabbit.com" or
vt.net.domain.raw == "businessvideonews.com" or
vt.net.domain.raw == "cloudsponcer.com" or
vt.net.domain.raw == "datamarketplace.net" or
vt.net.domain.raw == "mobilegamerstats.com" or
vt.net.domain.raw == "snoweeanalytics.com" or
vt.net.domain.raw == "tagclick-cdn.com" or
vt.net.domain.raw == "topographyupdates.com" or
vt.net.domain.raw == "unlimitedteacup.com" or
vt.net.domain.raw == "virtuallaughing.com" or
vt.net.domain.raw == "web-trackers.com" or
vt.net.domain.raw == "growthtransport.com" or
vt.net.domain.raw == "anstv.net" or
vt.net.domain.raw == "ans7tv.net" and
(
vt.net.domain.communicating_file.new_for_domain or
vt.net.domain.communicating_file.new_for_vt
)
}Day #3: TriangleDB Sample — Operation Triangulation
On day 3, I continue with Operation Triangulation write up and created a basic YARA rule designed to detect the TriangleDB iOS implant.
rule OperationTriangulation_TriangleDB
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara | Match on implant TriangleDB"
sample = "063db86f015fe99fdd821b251f14446d"
source = "https://securelist.com/triangledb-triangulation-implant/110050/"
strings:
$s1 = "swapLpServerType"
$s2 = "getBuildArchitecture"
$s3 = "swapLpServerType"
$s4 = "CRXBlank"
$s5 = "CRXConfigureDBServer"
$s6 = "CRXUpdateConfigInfo"
$s7 = "CRXFetchMatchingRecords"
$enc = "unmungeHexString"
$macOs = "populateWithFieldsMacOSOnly"
$macho = { CF FA ED FE } // Little Endian 64
condition:
$macho at 0 and (3 of ($s*)) and ($enc or $macOs)
}Day #4: XOR Strings
The XOR feature in YARA enables the creation of rules that can match patterns encrypted with a simple XOR cipher by brute-forcing various XOR keys until it finds a match with the specified encoded strings. This is super useful to hunt for samples that use XOR encryption.
Obviously, the below rule will generate some noise but if you know the encoded strings such as a C2 domain for example, from your malware analysis session then you can use it to pivot and uncover additional payload using the same infrastructure.
rule XOR_hunt
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara - An attempt to catch malicious/suspicious pe file using xor for some data"
status = "experimental"
strings:
$s1 = "http://" xor(0x01-0xff) ascii wide
$s2 = "https://" xor(0x01-0xff) ascii wide
$s3 = "ftp://" xor(0x01-0xff) ascii wide
$s4 = "This program cannot be run in DOS mode" xor(0x01-0xff) ascii wide
$s5 = "Mozilla/5.0" xor(0x01-0xff) ascii wide
$s6 = "cmd /c" xor(0x01-0xff) ascii wide
$s7 = "-ep bypass" xor(0x01-0xff) ascii wide
condition:
uint16(0) == 0x5A4D and any of them
}Day #5: LNK file delivering RemcosRat
LNK files are interesting and can be used to deliver a second stage of an attack. I created a simple YARA rule to hunt for additional LNK files using similar techniques, which, in this case, involves detecting if Windows Defender is installed.
rule LNK_File_CheckAV {
meta:
description = "Check LNK file checking for Defender installed. Domain used with RemcosRat delivery"
author = "Thomas Roccia | @fr0gger_"
reference = "https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method"
sample = "f650a9f1930e55e405d7121c56b90a996ab213a05b772a8f02ceb1cdbeb91165"
strings:
$s1 = "powershell.exe" ascii wide
$s2 = "AntiVirusProduct" ascii wide
$s3 = "-replace 'Windows Defender'" ascii wide
$s4 = "new-tech-savvy.com" ascii wide
condition:
uint16(0) == 0x004c and 2 of them
}Day #6: Magic Numbers
ara can be used to access specific data at a given position. 👇
This feature is often used to identify Magic Numbers (used to determine the file format) to match your rule against a specific file type, such as a PE (0x4D5A), for example.
Today, no specific rule, but I’m working on creating a list of potential Magic Numbers you can use with Yara. Feel free to update, edit, and modify
# List of Magic Numbers that can be used for Yara Rules
- **pe**: `uint16(0) == 0x5a4d`
- **lnk**: `uint16(0) == 0x004c`
- **doc, ppt, xls**: `uint32be(0) == 0xd0cf11e0`
- **elf**: `uint16(0) == 0x457f`
- **macho2**: `uint32(0) == 0xfeedface`
- **macho64**: `uint32(0) == 0xfeedfacf`
- **macho64_2**: `uint32(0) == 0xcefaedfe`
- **macho64_3**: `uint32(0) == 0xcffaedfe`
- **rtf**: `uint32(0) == 0x74725C7B`
- **mime**: `uint32be(0) == 0x4d494d45`
- **pdf**: `uint32(0) == 0x25504446`
- **zip**: `uint32(0) == 0x04034b50`
- **rar**: `uint32(0) == 0x52617221`
- **gzip**: `uint16(0) == 0x1f8b`
- **pkzip**: `uint32be(0) == 0x504b0304`
- **7zip**: `uint32(0) == 0x377abcaf`
- **tar**: `uint32(0) == 0x75737461`
- **iso**: `uint32(32769) == 0x43443030`
- **sqlite**: `uint32(0) == 0x53514c69`
- **pcap**: `uint32(0) == 0xa1b2c3d4`
- **pcapng**: `uint32(0) == 0x0a0d0d0a`
- **png**: `uint32(0) == 0x89504e47`
- **xlsx**: `uint32(0) == 0x504b0304`Day #7: Hunting for RIchHash
The Rich PE header is a specific section of a PE (Portable Executable) header that provides information about the compiling environment. By hashing this part of the PE header, it is possible to pivot through it to discover additional payloads that may have been compiled in the same environment.
Today, the Rich Hash is a common feature on VirusTotal, but some years ago it was not available. However, you could still hunt for this data by using the hash and PE module of YARA, as demonstrated in the rule below.
import "pe"
import "hash"
rule RichHash_Hunting
{
meta:
author = "Thomas Roccia | @fr0gger_"
description = "100DaysOfYara RichHash hunting for mimikatz dll"
sample = "aef6ce3014add838cf676b57957d630cd2bb15b0c9193cf349bcffecddbc3623"
condition:
hash.md5(pe.rich_signature.clear_data) == "8a0f7bc19a66091ff7eea991e1903d09"
}Day #8: Introducing Yara Toolkit
I’ve been working on a new tool called Yara Toolkit. For more details you can check out the detailed blogpost here.
Day #9: Adding a Yara rules search engine in YaraToolkit
There are so many public rules out there, it’s easy to lose track.
I got you covered! In YaraToolkit v0.2, I added a search engine for some rules repositories. Just enter a keyword to find a specific rule
Day #10: New features coming on YaraToolkit but for today a meme and a heavy regex rule
rule DontDoThatNoReally
{
meta:
author = "Thomas Roccia | @fr0gger_"
date = "2024-01-10"
description = "#100daysofYara | regex experiment that will slow down the scanning"
source = "https://stackoverflow.com/questions/9315647/regex-credit-card-number-tests"
strings:
$Amex = /3[47][0-9]{13}/
$BCGlobal = /(6541|6556)[0-9]{12}/
$CarteBlanche = /389[0-9]{11}/
$DinersClub = /^3(0[0-5]|[68][0-9])[0-9]{11}$/
$Discover = /65[4-9][0-9]{13}|64[4-9][0-9]{13}|6011[0-9]{12}|(622(12[6-9]|1[3-9][0-9]|[2-8][0-9][0-9]|9[01][0-9]|92[0-5])[0-9]{10})/
$InstaPayment = /63[7-9][0-9]{13}/
$JCB = /(2131|1800|35\d{3})\d{11}/
$KoreanLocal = /9[0-9]{15}/
$Laser = /(6304|6706|6709|6771)[0-9]{12,15}/
$Maestro = /(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}/
$Mastercard = /(5[1-5][0-9]{14}|2(22[1-9][0-9]{12}|2[3-9][0-9]{13}|[3-6][0-9]{14}|7[0-1][0-9]{13}|720[0-9]{12}))/
$Solo = /(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}/
$UnionPay = /(62[0-9]{14,17})/
$Visa = /4[0-9]{12}([0-9]{3})?/
$VisaMaster = /(4[0-9]{12}([0-9]{3})?|5[1-5][0-9]{14})/
condition:
any of them
}Day #11: Adding DocYara an assistant to all things Yara into YaraToolkit
Day #12 and 13: YaraToolkit v0.4 is out!
You now have a new tab called ‘Arsenal’ that will be the place where I will be adding tools related to Yara.
In this version I added a second tool used to generate Rich Header Yara rule.
Day #14: Hunting for unknown
Sometimes samples discussed in a public threat report are not always available…
But when there’s enough information, it’s possible to craft a small rule to hunt for more
Here’s a rule to hunt for the driver loaders in the recent Medusa Ransomware campaign.
rule Loader_Medusa_Driver_ASMGuard
{
meta:
author = "Thomas Roccia | @fr0gger_"
date = "2024-01-14"
description = "100DaysOfYara | Medusa Ransomware driver loader hunting based on report | no hash"
source = "https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/"
strings:
$fakeUPX = { 30 34 0A 55 50 58 21 00 5F 30 78 30 30 31 34 39 33 32 }
$str1 = "ASM_Guard" fullword
condition:
uint16(0) == 0x5a4d and
filesize < 500KB and
$fakeUPX and $str1
}Day #15: YaraToolkit v0.4.1 — Adding Imphash rule generation
Day #16: YaraToolkit v0.4.2 — Adding Opcode Rule Generation
Day #17: YaraToolkit v0.4.3 —Adding Strings Ranking Extraction
Day #18: Pivoting on developper’s artefact, fails, errors…
Developers/attackers’ artifacts, habits, errors, and fails are fantastic pivots that are very reliable for tracking threat actors
This known Rubeus artifact with the 3 ‘sss’ in the name of the registered logon application “User32LogonProcesss” is a great example
With a simple Yara rule based on this unique artifact, you can hunt for more Rubeus samples or those using copy-pasta code, with no false positives!
But be careful: when an artifact becomes too well-known, it can lead to false positives or worse, to misleading results!
rule MAL_Rubeus_HunTest
{
meta:
author = "Thomas Roccia"
date = "2024-01-18"
description = "#100DaysOfYara testing hunt for Rubeus"
source = "https://twitter.com/_RastaMouse/status/1747636529613197757"
strings:
$str0 = "User32LogonProcesss" fullword wide ascii
condition:
uint16(0) == 0x5a4d and
filesize < 2MB and
$str0
}Day #19, 20, 21: Some maintenance and resources improvement on Yara Toolkit.
Day #22: Yara Hash (#) Operator
The Hash (#) operator in Yara allows you to count the number of occurrences of your strings in your sample
In the example below, I looked at this funny Obfuscator that changes the keyword inside a .NET sample to ‘await.’ The rule leads to false positives, but I thought it was interesting to craft a rule for it
rule AwaitFuscator
{
meta:
author = "@fr0gger_"
date = "2024-01-22"
description = "#100daysofYara | AwaitFuscator testing rules"
source = "https://blog.washi.dev/posts/awaitfuscator/"
strings:
$str0 = "await" fullword ascii wide
condition:
uint16(0) == 0x5a4d and
filesize < 2MB and
#str0 > 30
}Day #23: Yaralyzer into YaraToolkit
Day #24 #25: Yara Scanner can now handle zip protected file
Day #35: Yara Scanner supports the console module
Day #36: The End
Hope you liked this 1/3 challenge. From now YaraToolkit will remain available and periodic update will be release! Until then, Happy hunting! ❤
Thomas
