I’ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I’ll also share 3 new premium feed YARA rules by pushing them to the Open Source signature-base repo.
What are the the preliminary conditions for the rule creation?
- We don’t want to to spend more than 20 minutes for a single rule.
- We use string extraction, hex editors and yarGen
- We also use public resources like Google (yes), malware.one
Requirements:
- You need a Virusbay account to download the samples
So, get ready. We process the following 3 cases.
Turla Agent-BTZ
- Great for yarGen string extraction
- Especially check for variations of strings (in PE header) that are highly specific
- Use google to check strings
PLEAD Downloader
- yarGen will not produce good results in this case
- Try to compare the samples in order to find specific strings that appear in all of them
TYPEFRAME (Hidden Cobra)
- Authors missed some specific strings
Solution
Don’t check the solution before you’ve created your own rules.
Remember, there is no single correct solution to this task. Your rules may be better than mine. If that’s the case, please share them with me ?.
