Using Yara rules with Volatility
YARA is a tool designed to help malware researchers identify and classify malware samples. It's been called the pattern-matching Swiss Army knife for security researchers .
Yarascan is a volatility plugin that scan a memory image for yara signature.Yaracan can be uses with rule file or you can define what are you looking for on the fly.In this diary I am not going to discuss how to write yara rules.
In this example yarascan will search memory.img for sigantures defined in Stuxnet.yar file
vol.py -f memory.img yarascan --yara-file=stuxnet.yar |
And here is the output , it will show the name of the rule ,the memory address ,process name and process ID.
Rule: StuxNet_Malware_1 Owner: Process services.exe Pid 668 0x01439071 8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89 .E.5.y..3..U.... 0x01439081 4a 04 8b 45 08 c7 40 0c 58 bd 43 01 33 c0 5e c9 J..E..@.X.C.3.^. 0x01439091 c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83 .U....,.e...e... 0x014390a1 65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00 e...E..M........ 0x014390b1 89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff .E..E.P.E.P.E.P. 0x014390c1 75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc u..u..........E. 0x014390d1 83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45 .}..t..E.......E 0x014390e1 e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7 ..E..E.......E.. 0x014390f1 45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05 E......u..u..E.. 0x01439101 84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50 ....P.E.P.u..E.P 0x01439111 e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75 .y.......E..E..u 0x01439121 14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4 ..u..E......P.E. 0x01439131 50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18 P.u..E.P.Q...... 0x01439141 8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b .E..E..}.....rG. 0x01439151 45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b E....=MZ..u:.E.. 0x01439161 40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b @<.....;E.s*.E.. |
And here is another example where you can define a yara rule on the fly ,
vol.py -f memory.img yarascan -Y "https:" |
And here is the output
Rule: r1 Owner: Process csrss.exe Pid 636 0x008105df 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69 https://www.veri 0x008105ef 73 69 67 6e 2e 63 6f 6d 2f 72 70 61 20 28 63 29 sign.com/rpa.(c) 0x008105ff 30 31 31 27 30 25 06 03 55 04 03 13 1e 56 65 72 011'0%..U....Ver 0x0081060f 69 53 69 67 6e 20 54 69 6d 65 20 53 74 61 6d 70 iSign.Time.Stamp 0x0081061f 69 6e 67 20 53 65 72 76 69 63 65 30 82 01 22 30 ing.Service0.."0 0x0081062f 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 ...*.H.......... 0x0081063f 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 7a 61 87 ...0.........za. 0x0081064f eb b2 a7 03 63 1b 2b 1a 61 de 80 b7 15 1d a0 8b ....c.+.a....... 0x0081065f 90 3d bb 27 92 84 14 39 eb 85 ce 29 92 06 66 48 .=.'...9...)..fH 0x0081066f a4 03 4f 8d e8 4f a7 f0 af 5e d1 2f 19 c7 91 f1 ..O..O...^./.... 0x0081067f b5 9e 7b 91 21 ce e9 ff e3 4e f0 fc af 95 58 b8 ..{.!....N....X. 0x0081068f 63 2d e6 8e f6 29 18 cd 70 8e 50 c3 ed 96 bb 40 c-...)..p.P....@ 0x0081069f db be 25 e8 42 55 d6 f6 85 f2 06 e7 8b 99 1c 31 ..%.BU.........1 0x008106af f3 03 0f d4 4c 9c 24 2a dc 1b 1b 8f 82 f3 b0 ef ....L.$*........ 0x008106bf a7 4d e3 14 a7 e0 8f d6 c7 68 c2 61 58 a9 72 d4 .M.......h.aX.r. 0x008106cf f8 30 48 4f d9 2f 6f 63 20 d9 89 ca 82 7b c2 4b .0HO./oc.....{.K |
Or you can specify the process which you want to scan it for a specific signature by using -p option
vol.py -f memory.img yarascan -p 796 -Y "http:" |
Rule: r1 Owner: Process iexplore.exe Pid 796 0x001ac058 68 74 74 70 3a 2f 2f 32 31 38 2e 38 35 2e 31 33 http://218.85.13 0x001ac068 33 2e 32 33 3a 38 39 2f 69 6e 64 65 78 2e 61 73 3.23:89/index.as 0x001ac078 70 3f 35 30 33 30 30 30 30 31 30 30 30 30 00 00 p?503000010000.. 0x001ac088 0b 00 07 00 16 01 0e 00 50 2b 1a 00 63 00 75 00 ........P+..c.u. 0x001ac098 72 00 69 00 74 00 79 00 3d 00 49 00 6d 00 70 00 r.i.t.y.=.I.m.p. 0x001ac0a8 65 00 72 00 73 00 6f 00 6e 00 61 00 74 00 69 00 e.r.s.o.n.a.t.i. 0x001ac0b8 6f 00 6e 00 20 00 44 00 79 00 6e 00 61 00 6d 00 o.n...D.y.n.a.m. 0x001ac0c8 69 00 63 00 20 00 46 00 61 00 6c 00 73 00 65 00 i.c...F.a.l.s.e. 0x001ac0d8 00 00 00 00 00 00 00 00 05 00 0b 00 1b 01 08 00 ................ 0x001ac0e8 00 00 00 00 30 ca 1a 00 40 c9 1a 00 10 c0 1a 00 ....0...@....... 0x001ac0f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x001ac108 05 00 05 00 26 01 08 00 00 00 00 00 f8 cd 1a 00 ....&........... 0x001ac118 18 fb 1a 00 40 c1 1a 00 00 00 00 00 00 00 00 00 ....@........... 0x001ac128 00 00 00 00 00 00 00 00 05 00 05 00 21 01 08 00 ............!... 0x001ac138 00 00 00 00 84 ce 1a 00 18 c1 1a 00 38 c0 1a 00 ............8... 0x001ac148 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
Comments
Like this?
vol.py -f memory.img yarascan --yara-file=stuxnet.yar,edd.yar,worm.yar
On the other hand, Do you have experience to run yara rules through Volatility using a index_rules.yar?
vol.py -f memory.img yarascan --yara-file=index_rules.yar
Where the content of the file index_rules.yar would be:
/*
Generated by Yara-Rules
On 23-10-2017
*/
include "./malware/APT_APT1.yar"
include "./malware/APT_APT10.yar"
include "./malware/APT_APT17.yar"
include "./malware/APT_APT29_Grizzly_Steppe.yar"
include "./malware/APT_APT3102.yar"
include "./malware/APT_APT9002.yar"
include "./malware/APT_Backspace.yar"
include "./malware/APT_Bestia.yar"
Thanks a lot for your time and support.
Regards
Anonymous
Oct 23rd 2017
6 years ago