Using the different kinds of strings in Yara rules
If you are into cybersecurity and are passionate about ares like Malware Analys or Detection Engineering, you problaby know about Yara Rules, if not, you can read the documentation.
For those who already saw an Yara rule, might notice that almost always they have just regular strings which are extracted from the artifact to detect it. In this post I will talk about how to use other kinds of strings to write a rule.
One of the types is hexadecimal. To write about it, in the Cerber analysis that I wrote, it was shown that the binary has the following subroutines, with two of them static, one allocated in memory and another one loaded during execution.
While debugging we can find the moment that the subroutine in memory is allocated and its address is returned in EDX.
If we use these instructions as a condition in one Yara rule and submit it in Hybrid Analysis, surprisingly we can find different samples related to Cerber. This is a good example of the power of Yara Rules beneath the hashes.
Another good example of use of hexadecimal strings in Yara Rules was posted on SANS ISC Diaries. The example is about to detect suspicious API call/parameter in VirtualAlloc().
If we take a look in VirtualAlloc documentation, the forth parameter is flProtect, which means the memory protection of the region to be allocated. So, if we have a memory being allocated with the constant PAGE_EXECUTE_READWRITE, the code will have permission to be executed, which is likely used when a shellcode is loaded.
That’s being said, the post shows the disassembly of section .text with an example of VirtualAlloc being called, with the four parameters, and the Yara rule that we can detect it.
Another type is Base64 strings. If know them you are probably thinking that it’s not a good way to detect something since a small modification can modify the output. But Yara Rules doesn’t simply compare the output.
To understand more, in the documentation has the following example.
It explains too that this rule will search for these three permutations:
- VGhpcyBwcm9ncmFtIGNhbm5vd
- RoaXMgcHJvZ3JhbSBjYW5ub3
- UaGlzIHByb2dyYW0gY2Fubm90
So, how it will work? Let’s see what happens with this string if we add whitespace before and after it.
And this is why these three permutations are checked when Base64 string is used.
That’s it for now!
