#100DaysofYARA

In search for some inspiration, I scrolled through https://www.garykessler.net/library/file_sigs.html and font files piqued my interest. I'll start with a generic rule for the OpenType font format. It is, as one might expect starting with "Open" and all, a registered trademark of Microsoft. This signature matches on the file magic and then puts some sensible boundaries in place that I've observed in font files on my local installation.

```
rule OpenTypeFontFile {
meta:
description = "Generic signature for the OpenType font format, excludes some unexpected but valid files to reduce false-positive rate"
author = "@larsborn"
date = "2024-03-10"
reference = "https://en.wikipedia.org/wiki/OpenType"
example_hash = "09bcc57b0f2b1518758831018922eadb2b3f279b56d13e1ba9aae04c1927a763"

DaysofYARA = "26/100"
condition:
uint32be(0) == 0x4f54544f // OTTO
and 4 < uint16be(4) and uint16be(4) < 100 // sensible range for table count
and uint16be(6) & 0xf == 0 // search range is often divisible by 16
}
```

https://github.com/100DaysofYARA/2024/pull/155

#100DaysofYARA

My take on Dalvik (.dex) files. Tried to cover a bit more than the usual `"dex\n"` file magic by including checks for the following 4 bytes (3 need to be numeric followed by a `"\0"`) and finally a check for the filesize at `0x20`.

```
rule Dalvik {
meta:
description = "Dalvik (dex) compiled files"
author = "@larsborn"
date = "2024-02-18"
reference = "https://source.android.com/docs/core/runtime/dex-format"
example_hash = "f8718170a98298e56a962e1f12e34c1190535fc93a2523fe1be345db4631e788"

DaysofYARA = "23/100"
condition:
uint32be(0) == 0x6465780a // "dex\n"
and for all i in ( 1 .. 3 ) : ( // three digits
uint16(3 + i) & 0xff >= 0x30 and uint16(3 + i) & 0xff <= 0x39
)
and uint16(7) & 0xff == 0x0 // null byte "\0"
and uint32(0x20) == filesize // file size check
}
```

https://github.com/100DaysofYARA/2024/pull/145

Virus Total have released a (new?) cheat sheet for their Live Hunt YARA service, which requires the use of their custom "vt" YARA module:

https://assets.virustotal.com/reports/livehunt-cheatsheet.pdf

The original Virus Total Intelligence cheat sheet is available at:

https://storage.googleapis.com/vtpublic/reports/VTI%20Cheatsheet.pdf

#100DaysofYara #malwareanalysis

#100DaysofYARA

Let's cover more ground in the Android realm: this rule matches on Java .class files while making sure that the constant pool of those files is within sane boundaries. Feel free to negate those checks to find weird .class files instead.

```
rule JavaClass {
meta:
description = "Java class file with a sane constant pool and the first constant being printable"
author = "@larsborn"
date = "2024-02-18"
reference = "https://en.wikipedia.org/wiki/Java_class_file"
example_hash = "158a19eb94aa2f3e2f459db69ee10276c73b945dd6c5f8fc223cf2d85e2b5e33"

DaysofYARA = "24/100"
condition:
uint32be(0) == 0xcafebabe
and uint16be(6) & 0xff >= 43 // major version
and 3 < uint16be(8) and uint16be(8) <= 3000 // sane constant pool count bounds
and 3 < uint16be(11) and uint16be(11) <= 300 // sane first constant length
and for all i in ( 1 .. uint16be(11) ) : ( // first constant printable
0x20 <= (uint16be(11 + i) & 0xff) and (uint16be(11 + i) & 0xff) < 127
)
}
```

https://github.com/100DaysofYARA/2024/pull/149

#100DaysofYARA

Kotlin is a programming language designed to completely interoperate with JAVA and the JVM. It is often used within Android applications and this rule matches on the file name `DebugProbesKt.bin` within an Android application which seems to be characteristic for Kotlin.

```
rule AndroidKotlinDebugProbesKt {
meta:
description = "Kotlin artifact needed to enable the builtin support for coroutines debugger in IDEA (DebugProbesKt.bin)"
author = "@larsborn"
date = "2024-02-18"
reference = "TODO"
example_hash = "158a19eb94aa2f3e2f459db69ee10276c73b945dd6c5f8fc223cf2d85e2b5e33"

DaysofYARA = "25/100"
strings:
$constant = "kotlin/coroutines/jvm/internal/DebugProbesKt"
condition:
uint32be(0) == 0xcafebabe
and uint16be(6) & 0xff >= 43 // major version
and 3 < uint16be(8) and uint16be(8) <= 3000 // sane constant pool count bounds
and uint16be(11) == 44 // length of first constant
and for all i in ( 1 .. uint16be(11) ) : ( // first constant printable
0x20 <= (uint16be(11 + i) & 0xff) and (uint16be(11 + i) & 0xff) < 127
)
and $constant at 13
}
```

https://github.com/100DaysofYARA/2024/pull/149

#100DaysofYARA might have gotten missed but Lab52 had a cool report on a new loader for Turla's (TA420 😎) Kazuar family

lets look for it by honing in on code in the export functions used for thread suspension, loading into mem, and DLL name style

https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/

#100DaysofYARA

Continuing with the Android theming: those file formats seem to make a point having their own size in the second DWORD. So here we go, a rule that matches on Android resource files (often named `resources.arsc`).

```
rule AndroidResourceArsc {
meta:
description = "Probably an Android resource file (i.e. resources.arsc)"
author = "@larsborn"
date = "2024-02-10"
reference = "https://androguard.readthedocs.io/en/latest/api/androguard.core.bytecodes.html#androguard.core.bytecodes.axml.AXMLParser"
example_hash = "e81b50d46350e67d4c60e156556e2698a9acbe73b8c2008ca0f8696a3e0e391a"

DaysofYARA = "22/100"
condition:
uint16be(0) == 0x0200 and uint32(4) == filesize
}
```

https://github.com/100DaysofYARA/2024/pull/142

#100DaysofYARA

I'll move over to some generic Android-specific rules: this one matches on the header of compiled manifest files (AndroidManifest.xml). Those start with file magic followed by the file size itself.

```
rule BinaryAndroidManifestXml {
meta:
description = "Probably a compiled binary manifest from an Android application (i.e. AndroidManifest.xml)"
author = "@larsborn"
date = "2024-02-10"
reference = "https://androguard.readthedocs.io/en/latest/api/androguard.core.bytecodes.html#androguard.core.bytecodes.axml.AXMLParser"
example_hash = "503c7b5a752e6112e29b28c74b2989efde2110cbf91c49ac0ea8752204746f06"

DaysofYARA = "21/100"
condition:
uint32be(0) == 0x03000800 and uint32(4) == filesize
}
```

https://github.com/100DaysofYARA/2024/pull/138

#100DaysofYARA day 45 - from the great find from Talos today, and inspired by ESET's great paper on the rich header (+ their sig formats) - a rule on the toolIDs+counts!

https://blog.talosintelligence.com/tinyturla-next-generation/

https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/APT_RU_Turla_TinyTurlaNG.yar

#100DaysofYARA Day 44 more abuse of Cerebro but keeping it simple - if we see obfuscated Mozilla, we detect it!

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/SUSP_Obfuscated_Mozilla.yar

#100DaysofYARA

And a second way to classify previously mentioned malware family StrelaStealer: it uses a printable string looking like a UUID as an Xor-Key. This will also conclude this whole drop-chain and we'll get to something else. Currently, I'm thinking on looking into different file formats around Android applications...

```
rule StrelaStealer_XorKey {
meta:
description = "Multi-purpose Xor-Key observed in StrelaStealer"
author = "@larsborn"
date = "2024-02-10"
reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer"
example_hash = "6e8a3ffffd2f7a91f3f845b78dd90011feb80d30b4fe48cb174b629afa273403"
example_hash = "8b0d8651e035fcc91c39b3260c871342d1652c97b37c86f07a561828b652e907"

DaysofYARA = "20/100"
strings:
$ = "4f3855aa-af7e-4fd2-b04e-55e63653d2f7"
condition:
any of them
}
```

https://github.com/100DaysofYARA/2024/pull/129

#100DaysofYARA catching up with Day 42 and 43 - rules looking for Zardoor! one looking for a weird export, narrowed by build information from the rich header, and another rule looking for weird resource type strings, CODER

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/MAL_Zardoor.yar

@xabean its part of the binary-refinery framework!

https://github.com/binref/refinery

Written by @rattle and its awesome

There are tutorials in the repo and a great video on it here: https://youtu.be/4gTaGfFyMK4?si=UYRI-wkH23jwuiHI

some of these are definitely hash-like objects, like these FatDuke DLL names

others are more incidental, like CloudAtlas' Inception

or the resources from WARPRISM

#100DaysofYARA Day 36 lets go looking for hashes

but you decry - "gReG hAsHeS aReN't rEsIliEnT"

hol up - we're looking for hashes where they're unexpected and weird - like a DLL name or resource name looking like an MD5

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/SUSP_PE_HashLike_Features.yar

#100DaysofYARA Day 37 looking for the string base64... encoded with base64 🌚

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/SUSP_Base64_String_in_base64.yar

#100DaysofYARA Day 38 - whyyyy would you embed an ISO into an LNK?? if you do it right you can mount run the file as an LNK or mount it as an ISO apparently... but WHY???

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/SUSP_LNK_Embedded_ISO.yar

#100DaysofYARA day 40 (I think) - experimenting with Macho "features" to look for RShell implants ( found by pals at Trend Micro and Sekoia) based on their dylib usage - seeing if we can track those header values as good signal to find them!

retro running now-report back soon🫡

#100DaysofYARA Day 41 wanted to get back to passive backdoors & since the TL was talking sniffing wifi 802.11, lets go looking for probable backdoors that do all of them - of course SEASPY references all 3!

https://github.com/100DaysofYARA/2024/blob/main/glesnewich/SUSP_References_Likely_Traffic_Sniffing.yar

@larsborn @captainGeech ahhh im sorry bud! I’ve still being posting rules but on the “other” site (logged in on it on the computer I do my YARA’s on)

Will make sure I’m posting here - and will backfill my posts now!!