security:malware:yara
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
| security:malware:yara [2021/06/19 13:37] – [Rule to detect maleware in PE Files] wikiadm | security:malware:yara [2021/07/03 15:52] (aktuell) – wikiadm | ||
|---|---|---|---|
| Zeile 16: | Zeile 16: | ||
| $s | $s | ||
| } | } | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | sudo yara / | ||
| </ | </ | ||
| Zeile 31: | Zeile 35: | ||
| ====== Rule to detect maleware in PE Files ====== | ====== Rule to detect maleware in PE Files ====== | ||
| - | malware.yar | + | ===== Generate Rule from Strings ===== |
| + | generate_rule.sh | ||
| < | < | ||
| - | rule str_rule | + | #!/bin/bash |
| - | { | + | |
| - | strings: | + | |
| - | $s1 = "WWWWWPj" | + | echo "rule mw_rule" > /home/student/Desktop/rules/malware.yar |
| - | $s2 = " | + | echo " |
| - | $s3 = "; | + | |
| - | $s4 = " | + | |
| - | $s5 = "2+( VPOL" | + | |
| - | $s6 = " | + | |
| - | $s7 = " | + | |
| - | $s8 = " | + | |
| - | $s9 = " | + | |
| - | $s10 = " | + | |
| - | $s11 = " | + | |
| - | $s12 = " | + | |
| - | $s13 = ">k_I[$" | + | |
| - | $s14 = "msg/m_english.wnryF" | + | |
| - | $s15 = " | + | |
| - | $s16 = ": | + | |
| - | $s17 = " | + | |
| - | $s18 = " | + | |
| - | $s19 = " | + | |
| - | $s20 = "msg/m_french.wnry" | + | |
| - | $s21 = " | + | |
| - | $s22 = " | + | |
| - | $s23 = " | + | |
| - | $s24 = " | + | |
| - | $s25 = " | + | |
| - | $s26 = " | + | |
| - | $s27 = " | + | |
| - | $s28 = " | + | |
| - | $s29 = " | + | |
| - | $s30 = " | + | |
| - | $s31 = " | + | |
| - | $s32 = " | + | |
| - | $s33 = " | + | |
| - | $s34 = "?? | + | |
| - | $s35 = " | + | |
| - | $s36 = " | + | |
| - | $s37 = " | + | |
| - | $s38 = " | + | |
| - | $s39 = " | + | |
| - | $s40 = " | + | |
| - | $s41 = " | + | |
| - | $s42 = " | + | |
| - | $s43 = " | + | |
| - | $s44 = " | + | |
| - | $s45 = " | + | |
| - | $s46 = " | + | |
| - | $s47 = "& | + | |
| - | $s48 = " | + | |
| - | $s49 = " | + | |
| - | $s50 = " | + | |
| - | $s51 = " | + | |
| - | $s52 = " | + | |
| - | $s53 = " | + | |
| - | $s54 = " | + | |
| - | $s55 = "data error" | + | |
| - | $s56 = "?? | + | |
| - | $s57 = " | + | |
| - | $s58 = " | + | |
| - | $s59 = "; | + | |
| - | $s60 = " | + | |
| - | $s61 = " | + | |
| - | $s62 = " | + | |
| - | $s63 = " | + | |
| - | $s64 = " | + | |
| - | $s65 = " | + | |
| - | $s66 = " | + | |
| - | $s67 = " | + | |
| - | $s68 = " | + | |
| - | $s69 = " | + | |
| - | $s70 = "msg/m_chinese (traditional).wnry" | + | |
| - | $s71 = " | + | |
| - | $s72 = " | + | |
| - | $s73 = " | + | |
| - | $s74 = " | + | |
| - | $s75 = " | + | |
| - | $s76 = " | + | |
| - | $s77 = " | + | |
| - | $s78 = " | + | |
| - | $s79 = " | + | |
| - | $s80 = " | + | |
| - | $s81 = " | + | |
| - | $s82 = " | + | |
| - | $s83 = " | + | |
| - | $s84 = "msg/m_croatian.wnry" | + | |
| - | $s85 = "CMnQ, | + | |
| - | $s86 = " | + | |
| - | $s87 = " | + | |
| - | $s88 = " | + | |
| - | $s89 = " | + | |
| - | $s90 = " | + | |
| - | $s91 = " | + | |
| - | $s92 = " | + | |
| - | $s93 = " | + | |
| - | $s94 = " | + | |
| - | $s95 = " | + | |
| - | $s96 = " | + | |
| - | $s97 = " | + | |
| - | $s98 = " | + | |
| - | $s99 = "' | + | |
| - | $s100 = " | + | |
| - | $s101 = " | + | |
| - | $s102 = " | + | |
| - | $s103 = "# | + | |
| - | $s104 = " | + | |
| - | $s105 = " | + | |
| - | $s106 = " | + | |
| - | $s107 = " | + | |
| - | $s108 = " | + | |
| - | $s109 = " | + | |
| - | $s110 = " | + | |
| - | $s111 = " | + | |
| - | $s112 = " | + | |
| - | $s113 = " | + | |
| - | $s114 = " | + | |
| - | $s115 = " | + | |
| - | $s116 = "<` Xu9g" | + | |
| - | $s117 = " | + | |
| - | $s118 = " | + | |
| - | $s119 = " | + | |
| - | $s120 = " | + | |
| - | $s121 = " | + | |
| - | $s122 = " | + | |
| - | $s123 = "$@^ Y+kCM3" | + | |
| - | $s124 = " | + | |
| - | $s125 = " | + | |
| - | $s126 = " | + | |
| - | $s127 = " | + | |
| - | $s128 = " | + | |
| - | $s129 = " | + | |
| - | $s130 = " | + | |
| - | $s131 = " | + | |
| - | $s132 = " | + | |
| - | $s133 = " | + | |
| - | $s134 = " | + | |
| - | $s135 = " | + | |
| - | $s136 = " | + | |
| - | $s137 = "2{0ONU T8" | + | |
| - | $s138 = " | + | |
| - | $s139 = " | + | |
| - | $s140 = " | + | |
| - | $s141 = " | + | |
| - | $s142 = " | + | |
| - | $s143 = " | + | |
| - | $s144 = " | + | |
| - | $s145 = " | + | |
| - | $s146 = "empty distance tree with lengths" | + | |
| - | $s147 = " | + | |
| - | $s148 = " | + | |
| - | $s149 = " | + | |
| - | $s150 = "ciC [/K" | + | |
| - | $s151 = " | + | |
| - | $s152 = " | + | |
| - | $s153 = " | + | |
| - | $s154 = " | + | |
| - | $s155 = " | + | |
| - | $s156 = " | + | |
| - | $s157 = " | + | |
| - | $s158 = " | + | |
| - | $s159 = " | + | |
| - | $s160 = " | + | |
| - | $s161 = " | + | |
| - | $s162 = " | + | |
| - | $s163 = " | + | |
| - | $s164 = " | + | |
| - | $s165 = "file error" | + | |
| - | $s166 = ">nuGl=Cme4" | + | |
| - | $s167 = " | + | |
| - | $s168 = " | + | |
| - | $s169 = " | + | |
| - | $s170 = " | + | |
| - | $s171 = " | + | |
| - | $s172 = " | + | |
| - | $s173 = " | + | |
| - | $s174 = "&& | + | |
| - | $s175 = "# | + | |
| - | $s176 = " | + | |
| - | $s177 = " | + | |
| - | $s178 = " | + | |
| - | $s179 = "& | + | |
| - | $s180 = " | + | |
| - | $s181 = " | + | |
| - | $s182 = "- unzip 0.15 Copyright 1998 Gilles Vollant" | + | |
| - | $s183 = "?? | + | |
| - | $s184 = ", | + | |
| - | $s185 = " | + | |
| - | $s186 = "?? | + | |
| - | $s187 = " | + | |
| - | $s188 = " | + | |
| - | $s189 = " | + | |
| - | $s190 = " | + | |
| - | $s191 = " | + | |
| - | $s192 = " | + | |
| - | $s193 = " | + | |
| - | $s194 = " | + | |
| - | $s195 = " | + | |
| - | $s196 = " | + | |
| - | $s197 = " | + | |
| - | $s198 = " | + | |
| - | $s199 = " | + | |
| - | $s200 = " | + | |
| - | $s201 = " | + | |
| - | $s202 = " | + | |
| - | $s203 = " | + | |
| - | $s204 = "IyEf [%" | + | |
| - | $s205 = " | + | |
| - | $s206 = " | + | |
| - | $s207 = " | + | |
| - | $s208 = " | + | |
| - | $s209 = "' | + | |
| - | $s210 = " | + | |
| - | $s211 = ", | + | |
| - | $s212 = "need dictionary" | + | |
| - | $s213 = " | + | |
| - | $s214 = " | + | |
| - | $s215 = " | + | |
| - | $s216 = " | + | |
| - | $s217 = " | + | |
| - | $s218 = " | + | |
| - | $s219 = " | + | |
| - | $s220 = "6P>YK^$r" | + | |
| - | $s221 = " | + | |
| - | $s222 = " | + | |
| - | $s223 = " | + | |
| - | $s224 = " | + | |
| - | $s225 = " | + | |
| - | $s226 = " | + | |
| - | $s227 = " | + | |
| - | $s228 = " | + | |
| - | $s229 = " | + | |
| - | $s230 = " | + | |
| - | $s231 = "!This program cannot be run in DOS mode." | + | |
| - | $s232 = " | + | |
| - | $s233 = " | + | |
| - | $s234 = " | + | |
| - | $s235 = " | + | |
| - | $s236 = "msg/m_german.wnry" | + | |
| - | $s237 = " | + | |
| - | $s238 = " | + | |
| - | $s239 = " | + | |
| - | $s240 = " | + | |
| - | $s241 = "# | + | |
| - | $s242 = " | + | |
| - | $s243 = " | + | |
| - | $s244 = " | + | |
| - | $s245 = "?? | + | |
| - | $s246 = "msg/m_danish.wnry" | + | |
| - | $s247 = " | + | |
| - | $s248 = " | + | |
| - | $s249 = "?-3t/''" | + | |
| - | $s250 = " | + | |
| - | $s251 = " | + | |
| - | $s252 = " | + | |
| - | $s253 = " | + | |
| - | $s254 = "tlHt Ht" | + | |
| - | $s255 = " | + | |
| - | $s256 = " | + | |
| - | $s257 = " | + | |
| - | $s258 = " | + | |
| - | $s259 = " | + | |
| - | $s260 = " | + | |
| - | $s261 = " | + | |
| - | $s262 = " | + | |
| - | $s263 = "msg/m_finnish.wnry~" | + | |
| - | $s264 = " | + | |
| - | $s265 = " | + | |
| - | $s266 = " | + | |
| - | $s267 = " | + | |
| - | $s268 = " | + | |
| - | $s269 = "?? | + | |
| - | $s270 = " | + | |
| - | $s271 = " | + | |
| - | $s272 = " | + | |
| - | $s273 = " | + | |
| - | $s274 = " | + | |
| - | $s275 = " | + | |
| - | $s276 = " | + | |
| - | $s277 = " | + | |
| - | $s278 = " | + | |
| - | $s279 = " | + | |
| - | $s280 = ": | + | |
| - | $s281 = " | + | |
| - | $s282 = " | + | |
| - | $s283 = " | + | |
| - | $s284 = " | + | |
| - | $s285 = " | + | |
| - | $s286 = " | + | |
| - | $s287 = " | + | |
| - | $s288 = " | + | |
| - | $s289 = " | + | |
| - | $s290 = " | + | |
| - | $s291 = "7#z y,:" | + | |
| - | $s292 = " | + | |
| - | $s293 = " | + | |
| - | $s294 = " | + | |
| - | $s295 = " | + | |
| - | $s296 = " | + | |
| - | $s297 = " | + | |
| - | $s298 = "too many length or distance symbols" | + | |
| - | condition: any of them | + | echo " |
| - | } | + | count=1 |
| + | while read s; do | ||
| + | p=${s// | ||
| + | echo " | ||
| + | count=$((count+1)) | ||
| + | done </ | ||
| - | rule IsPeFile { | + | echo "" |
| - | strings: | + | |
| - | $mz = "MZ" | + | |
| - | condition: | + | echo " |
| - | $mz at 0 and uint32(uint32(0x3C)) == 0x4550 and str_rule | + | echo " |
| + | echo " | ||
| + | echo " | ||
| + | |||
| + | echo " | ||
| + | </ | ||
| + | ===== Final Rule ===== | ||
| + | malware.yar | ||
| + | --> generated, but left only relevant string | ||
| + | |||
| + | rule mw_rule | ||
| + | { | ||
| + | strings: | ||
| + | $s176 = " | ||
| + | |||
| + | condition: | ||
| + | $s176 and | ||
| + | uint16(0) == 0x5A4D and | ||
| + | uint32(uint32(0x3C)) == 0x4550 | ||
| } | } | ||
| + | |||
| + | < | ||
| + | yara / | ||
| </ | </ | ||
security/malware/yara.1624102640.txt.gz · Zuletzt geändert: von wikiadm