More on Yara And Building Rules

I’ve been learning how to build and modify yara rules lately but my biggest pain was getting the formattting correct.

In a recent Twitter thread Here James @James_inthe_box  posted where asyncrat was using pastebin  to host their encoded rat.

My repository is now getting large enough with similar samples I will need more than just my simple single string search utility to search with.

I also need a way to standardize how I write the rules.

While we were all going though the sample on Twitter  Nadav Lorber @LNadav  from Morphisec had released a blog post Here that started with the vbs dropper that led to the pastebin links.

I just finished downloading all of the vbs hashes that I could find on either “ANY.RUN @anyrun_app” or “Hybrid Analysis @HybridAnalysis” . I don’t have access to download from VirusTotal.

All of the files I could not find in the other two locations were located on VirusTotal.

There appears to have been 51 hashes to search for. The last 7 that I found wrote to a bat file for the next stage instead of PowerShell.

Of the remaining ones I found they used various forms of obfuscation from xor’ing with a long “random” string to various layouts of chr(number) . They would be mixed case and even Chrw() for wide char/ Unicode even though the decimal values were in ascii decimal range.

Let take a look at one and se what we are going to run into.

Code-1

Here we have a get object which turns out to be the class ID of Shell.

Also in this screenshot we have a large number of “cHR(“ values with math functions.

The math function could change drastically so we can not count on those.

At the bottom we have a few possible things we can use for a rule.

Code-2 

For this sample I’m going to go with with group of strings

13709620-C279-11CE-A49E-444553540000
WScript.Sleep
&cHR(

I’m choosing the CLSID because it is distinctive , the sleep as an extra values but the  “&cHR(“ in multiples will tell me they are trying to hide something.

So lets take a look at the Yara Builder.

Builder_1

As you can see here it is just a simple fill in the bank and click a button.

So lets fill in the blanks and see what we get.

Builder_2

You may notice and extra empty $s3 = “” in there too.

With the exception of the strings section all of the text boxes take the input string just input those values in the formatted output. If you leave a box empty it will put an empty string in like the s value.

For the strings it will stake each sting in the line using ‘CRLF” for the new line and split them then number the string and then out put to the formatted strings section.

And just in case everyone was wondering what that large group of char codes decode to we have this.

Code-3

More Char codes and powerShell, go figure.

So our yara output now looks like this.

Yara_1

Now that is a decent start to get our formatting but what can we do to improve it with the limited amount of usable code available.

Yara_2

On a test on Hybrid Analysis this version throws an error. Can you see it ?

I left a space between “with” and “CLSID” so now we know HA don’t like spaces in the rule name either.

The space has been fixed in the final version.

And what does it return ?

HA-1

Two of the files already on our target list.

After looking at several of the other files downloaded we see the Char( space differently. I’m not sure if there is an easier way yet to do this so we have the 4 different versions.

If we wanted to catch the ChrW versions we would also need to add that to out rule.

A few things that kept messing with me was when I tried to put a dash in the rule name. Yara does not like that but underscores is ok.

Another thing is the lower case section names and the keywords.

Every time I mistakenly uppercased them then it would throw an error.

That is is for this one.

I hope it is helpful to someone.

Links:

Link to Twittter thread

Link to the blog post

Link to my GitHub with the tool.

Article Link: More on Yara And Building Rules | PC's Xcetra Support