As attacks become more fileless and malware gets more obfuscated, it is getting more difficult to determine whether there is a malicious intent from a file by itself. For this reason, malware detection methods that utilize sandboxes and AI, as well as technologies that detect suspicious behavior after malware infection, such as EDR, have now become common. Even so, malware that antivirus software cannot detect is often found during actual incident responses. When such unknown malware is found, an exhaustive analysis to find the same type of malware, which may be hiding in the network, is required. However, since it cannot be detected by antivirus software, every device needs to be analyzed manually one by one.
To solve such problem, JPCERT/CC has created and released a tool called YAMA for the purpose of supporting malware detection. YAMA can perform memory scanning using YARA rules created by itself, and thus the tool is effective against obfuscated malware and fileless attacks. YAMA is available in the following GitHub repository. Please feel free to use it.
GitHub JPCERTCC/YAMA: https://github.com/JPCERTCC/YAMA
The following section of this article introduces the concept of YAMA and explains how to use it.
Concept
YAMA has the following features:
- It performs YARA scans on the memory of a running Windows machine
- Custom YARA rules can be created to tailor malware detection to each user's needs
- No tool installation is required (Event Message File needs to be installed at execution to export logs to Event Log)
- Detection results can be exported in text/JSON format
Scanning for files with YARA rules or scanning individual processes is possible with the current YARA. However, analyzing the entire live memory to find unknown malware is not possible with the current tools. YAMA makes it possible to analyze the entire live memory, which is effective against obfuscated malware and fileless attacks. In addition, since no installation is required to use the tool, deploying the tool on multiple machines for analysis is easy.
How to use
Below is the instruction on how to use YAMA. For more information, please read the Wiki.
https://github.com/JPCERTCC/YAMA/wiki
Creating custom YAMA scanner
First, you need to create the custom YAMA scanner including a custom YARA rule. It is easy because all the work is completed on GitHub. The GitHub repository of YAMA contains GitHub Actions that compile YAMA scanner. Therefore, you can create your own YAMA scanner by simply committing your custom YARA rules to your own repository after you fork or clone the repository of YAMA. The following is the steps to create an custom YAMA scanner.
Step 1. Fork GitHub's YAMA repository
Step 2. Allow GitHub Actions to run
Step 3. Customize YARA rules of the following file and commit it
rsrc/ioc/rule.yara
Step 4. Download the built YAMA scanner
For more information, please watch the below video.
Malware detection using YAMA scanner
Once you have downloaded the YAMA scanner, you are ready to perform the actualanalysis. Since the YAMA scanner is a single binary, you can easily use your YAMA scanner by simply copying it onto the machine to analyze. Below are the options that can be specified when running YAMA scanner.
Yet Another Memory Analyzer for malware detection. Usage: yama.exe [-h] [--version] [--pid VAR] [--all] [--output VAR] [--json] [--evtx] [--uninstall] [--suppress] [--quiet] Optional arguments: -h, --help shows help message and exits -V, --version prints version information and exits -p, --pid PID to scan (required if not using --all) -a, --all Scan all processes (required if not using --pid) -o, --output Specify output directory [default: "./"] -j, --json Export json report to the output directory -e, --evtx Install YAMA EventLog manifest. -u, --uninstall Uninstall YAMA EventLog manifest. (only do uninstall operaiton) -s, --suppress Suppress warning logs -q, --quiet Suppress all console outputs -v, --verbose Increase verbosity.(-v: info, -vv: debug, -vvv: trace)
To scan all processes, use the --all option as follows. Note that processes running with the admin privilege cannot be scanned unless the scanner is running with the privilege. To scan all processes, run the YAMA scanner with administrative privileges.
> Yama.exe --all
If you wish to centrally manage the runtime text logs on a file server, you can also specify a file server as the destination for the logs, as shown below. (By default, log files are created in the current directory.)
> Yama.exe --all --output \\fileserver\log_folder
In addition, if you want the log to be recorded in the Event Log, specify the --evtx option. The log will be recorded in the application log. The content of each event ID is as follows. Note that this option installs the Event Message File (%SystemRoot%\System32\Yama.Events.dll), which can be removed with the --uninstall option.
- Event ID 10: YAMA has started.
- Event ID 11: YAMA has stopped.
- Event ID 20: No detection.
- Event ID 40: Malware was detected.
Please watch the below demonstration video for malware detection with YAMA scanner.
In closing
I believe that cleaning malware from a network in the event of a security incident is a never-ending task that all incident responders struggle with, and I hope YAMA will help you with such hard work.
Pull requests and requests for this tool are welcome.
Acknowledgments
We would like to thank Tomoaki Tani for his cooperation in the development of this tool.
Shusei Tomonaga
(Translated by Takumi Nakano)
Article Link: YAMA-Yet Another Memory Analyzer for malware detection - JPCERT/CC Eyes | JPCERT Coordination Center official Blog