Using Yara rules with Volatility

Published: 2017-10-20. Last Updated: 2017-10-20 15:07:42 UTC
by Basil Alawi S.Taher (Version: 1)
1 comment(s)

YARA is a tool designed to help malware researchers identify and classify malware samples. It's been called the pattern-matching Swiss Army knife for security researchers .

Yarascan is a volatility plugin that scan a memory image for yara signature.Yaracan can be uses with rule file or you can define what are you looking for on the fly.In this diary I am not going to discuss how to write yara rules.

In this example yarascan will search memory.img for sigantures defined in Stuxnet.yar file

vol.py -f memory.img yarascan --yara-file=stuxnet.yar

 

And here is the output , it will show the name of the rule ,the memory address ,process name and process ID.

Rule: StuxNet_Malware_1

Owner: Process services.exe Pid 668

0x01439071  8b 45 08 35 dd 79 19 ae 33 c9 8b 55 08 89 02 89   .E.5.y..3..U....

0x01439081  4a 04 8b 45 08 c7 40 0c 58 bd 43 01 33 c0 5e c9   J..E..@.X.C.3.^.

0x01439091  c3 55 8b ec 83 ec 2c 83 65 e8 00 83 65 f4 00 83   .U....,.e...e...

0x014390a1  65 e4 00 8b 45 20 8b 4d 14 8d 84 01 98 00 00 00   e...E..M........

0x014390b1  89 45 f0 8d 45 f4 50 8d 45 e8 50 8d 45 d8 50 ff   .E..E.P.E.P.E.P.

0x014390c1  75 f0 ff 75 08 e8 14 fe ff ff 83 c4 14 89 45 fc   u..u..........E.

0x014390d1  83 7d fc 00 74 08 8b 45 fc e9 fd 00 00 00 8b 45   .}..t..E.......E

0x014390e1  e8 89 45 f8 8b 45 e8 05 98 00 00 00 89 45 e8 c7   ..E..E.......E..

0x014390f1  45 e4 98 00 00 00 ff 75 20 ff 75 1c 8b 45 f8 05   E......u..u..E..

0x01439101  84 00 00 00 50 8d 45 e4 50 ff 75 f4 8d 45 e8 50   ....P.E.P.u..E.P

0x01439111  e8 79 fe ff ff 83 c4 18 8b 45 e8 89 45 dc ff 75   .y.......E..E..u

0x01439121  14 ff 75 10 8b 45 f8 05 8c 00 00 00 50 8d 45 e4   ..u..E......P.E.

0x01439131  50 ff 75 f4 8d 45 e8 50 e8 51 fe ff ff 83 c4 18   P.u..E.P.Q......

0x01439141  8b 45 dc 89 45 ec 81 7d 14 00 10 00 00 72 47 8b   .E..E..}.....rG.

0x01439151  45 ec 0f b7 00 3d 4d 5a 00 00 75 3a 8b 45 ec 8b   E....=MZ..u:.E..

0x01439161  40 3c 05 f8 00 00 00 3b 45 14 73 2a 8b 45 ec 8b   @<.....;E.s*.E..

 

And here is another example where you can define a yara rule on the fly ,

vol.py -f memory.img  yarascan -Y "https:"

 

And here is the output

Rule: r1

Owner: Process csrss.exe Pid 636

0x008105df  68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69   https://www.veri

0x008105ef  73 69 67 6e 2e 63 6f 6d 2f 72 70 61 20 28 63 29   sign.com/rpa.(c)

0x008105ff  30 31 31 27 30 25 06 03 55 04 03 13 1e 56 65 72   011'0%..U....Ver

0x0081060f  69 53 69 67 6e 20 54 69 6d 65 20 53 74 61 6d 70   iSign.Time.Stamp

0x0081061f  69 6e 67 20 53 65 72 76 69 63 65 30 82 01 22 30   ing.Service0.."0

0x0081062f  0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82   ...*.H..........

0x0081063f  01 0f 00 30 82 01 0a 02 82 01 01 00 c0 7a 61 87   ...0.........za.

0x0081064f  eb b2 a7 03 63 1b 2b 1a 61 de 80 b7 15 1d a0 8b   ....c.+.a.......

0x0081065f  90 3d bb 27 92 84 14 39 eb 85 ce 29 92 06 66 48   .=.'...9...)..fH

0x0081066f  a4 03 4f 8d e8 4f a7 f0 af 5e d1 2f 19 c7 91 f1   ..O..O...^./....

0x0081067f  b5 9e 7b 91 21 ce e9 ff e3 4e f0 fc af 95 58 b8   ..{.!....N....X.

0x0081068f  63 2d e6 8e f6 29 18 cd 70 8e 50 c3 ed 96 bb 40   c-...)..p.P....@

0x0081069f  db be 25 e8 42 55 d6 f6 85 f2 06 e7 8b 99 1c 31   ..%.BU.........1

0x008106af  f3 03 0f d4 4c 9c 24 2a dc 1b 1b 8f 82 f3 b0 ef   ....L.$*........

0x008106bf  a7 4d e3 14 a7 e0 8f d6 c7 68 c2 61 58 a9 72 d4   .M.......h.aX.r.

0x008106cf  f8 30 48 4f d9 2f 6f 63 20 d9 89 ca 82 7b c2 4b   .0HO./oc.....{.K

 

Or you can specify the process which you want to scan it for a specific signature by using -p option

vol.py  -f memory.img yarascan -p 796 -Y "http:"

 

Rule: r1

Owner: Process iexplore.exe Pid 796

0x001ac058  68 74 74 70 3a 2f 2f 32 31 38 2e 38 35 2e 31 33   http://218.85.13

0x001ac068  33 2e 32 33 3a 38 39 2f 69 6e 64 65 78 2e 61 73   3.23:89/index.as

0x001ac078  70 3f 35 30 33 30 30 30 30 31 30 30 30 30 00 00   p?503000010000..

0x001ac088  0b 00 07 00 16 01 0e 00 50 2b 1a 00 63 00 75 00   ........P+..c.u.

0x001ac098  72 00 69 00 74 00 79 00 3d 00 49 00 6d 00 70 00   r.i.t.y.=.I.m.p.

0x001ac0a8  65 00 72 00 73 00 6f 00 6e 00 61 00 74 00 69 00   e.r.s.o.n.a.t.i.

0x001ac0b8  6f 00 6e 00 20 00 44 00 79 00 6e 00 61 00 6d 00   o.n...D.y.n.a.m.

0x001ac0c8  69 00 63 00 20 00 46 00 61 00 6c 00 73 00 65 00   i.c...F.a.l.s.e.

0x001ac0d8  00 00 00 00 00 00 00 00 05 00 0b 00 1b 01 08 00   ................

0x001ac0e8  00 00 00 00 30 ca 1a 00 40 c9 1a 00 10 c0 1a 00   ....0...@.......

0x001ac0f8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x001ac108  05 00 05 00 26 01 08 00 00 00 00 00 f8 cd 1a 00   ....&...........

0x001ac118  18 fb 1a 00 40 c1 1a 00 00 00 00 00 00 00 00 00   ....@...........

0x001ac128  00 00 00 00 00 00 00 00 05 00 05 00 21 01 08 00   ............!...

0x001ac138  00 00 00 00 84 ce 1a 00 18 c1 1a 00 38 c0 1a 00   ............8...

0x001ac148  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

 

 

 

Keywords:
1 comment(s)

Comments

How you can run several yara rules at the same time using Volatility?

Like this?

vol.py -f memory.img yarascan --yara-file=stuxnet.yar,edd.yar,worm.yar

On the other hand, Do you have experience to run yara rules through Volatility using a index_rules.yar?

vol.py -f memory.img yarascan --yara-file=index_rules.yar

Where the content of the file index_rules.yar would be:

/*
Generated by Yara-Rules
On 23-10-2017
*/
include "./malware/APT_APT1.yar"
include "./malware/APT_APT10.yar"
include "./malware/APT_APT17.yar"
include "./malware/APT_APT29_Grizzly_Steppe.yar"
include "./malware/APT_APT3102.yar"
include "./malware/APT_APT9002.yar"
include "./malware/APT_Backspace.yar"
include "./malware/APT_Bestia.yar"

Thanks a lot for your time and support.

Regards

Diary Archives