THREAT

HUNTING
(CREATING YARA RULES)

META:
Author = "Group No. 03 | MBA - ITBM (2020 - 22)"
Date = "08-02-2022"
Submitted to = "Shyam Sundar Ramaswami Sir"
Version = "Assignment 02"
Subject = "Cyber Intelligence"
 < YARA Threat Hunting >

KEYWORDS IDENTIFIED IN
MALSPAMS AND PHISHING MAILS

Attention required Orders shipped Customer

Verification Shopper Participating
New payment Additional income Program
Scanned Earn per week Withdrawn
Fax Home employment Lifetime-free
Doc-delivery Best price Breaking
Faxtransmission Credit bureaus News
Sales Mortgage Click
Project Payback Harvest
Files US dollars Internet
Request Cards accepted Marketing
Quote Thank Notspam
Love shopping Contacting Subscribe
Payment to Contact us Undisclosed
Received Flexible Insuarance
Added Reward Pharmacy
Account Plans on 100%
Confirm Credit cards Billion dollars
Expiration Lakh Gimmick
Payout Transferred Unsolicited
Extended scholarship Holders' Important
Deadline is today Check Check attachment
Urgent List Open attachment
Efax Withdraw Attention
Vmail PF Act now
Missing Advance Action
Telephone Detail Apply now
Buy Inside Apply online
Buying judgments Dear Buy direct

< Cyber Intelligence > - 2 -

 < YARA Threat Hunting >

Call Click now Join millions

Call now Direct email Save big
Clearance Order now Offer
Click here Order today Winner
Do it today Congartulations Win now
Don’t delete You won You've been selected
Drastically reduced Attachment Double your income
Exclusive deal Document Earn cash
Expire Click below Earn extra
Get Visit website Eliminate debt
Get it now Payment Extra
Get started now Pending payment Fantastic deal
Important information Payment pending Free money
Instant Payment not cleared Free investment
Limited time Pay now Get paid
New customers only Get offer Income
Now only Crad accepted Increase sales
Offer expires Congratulations Lose weight
Once in a lifetime Credit card offers Money back
Please read Easy terms No fees
Special promotion Free No hidden costs
Take action Discount available Life insurance
This won’t last Free membership Loan
While stocks last Giving away Won lottery

< Cyber Intelligence > - 3 -

 < YARA Threat Hunting >

ABOUT YARA
YARA is a free and open-source tool that aids malware researchers in identifying and
classifying malware samples, among other things. We can use YARA to construct
descriptions of malware families (or any other thing that is needed to be described)
based on textual or binary patterns. Each rule, or description, is made up of a set of
strings and a Boolean expression that determines the logic of the rule.
The YARA rules are designed to detect malware that has a specific pattern and
indicators. Once a rule has been developed, it can be scanned against various files
to detect malicious behavior. In addition, YARA rules are used in Incident Response
and Forensics to find artifacts based on a pattern.
Binary strings with wildcards, case-insensitive text strings, special operators, regular
expressions, and a variety of other features can all be used to develop complex and
powerful rules using YARA.
YARA is a multi-platform tool that works on Windows, Linux, and Mac OS X.
Each YARA rule is made up of the following components:

 Rule <name> – The name of the rule.

 Meta – Description of the rule, such as on what date it was written, who was
the author, and so on.
 Strings – The actual strings that we want to search for. The strings in YARA
can be hexadecimal strings, text strings, and regular expressions Text strings
and regular expressions are used to define parts of legible text, while
hexadecimal strings are used to define raw sequences of bytes. Text strings
and regular expressions, on the other hand, can also be used to represent raw
bytes via escape sequences.
 Condition – The entire logic of the rule. Conditions are simply Boolean
expressions, such as those found in all computer languages. They can include
Boolean operators like and, or, and not, as well as relational operators like >=,
<=, <, >, ==, and !=. On numerical expressions, the arithmetic operators (+, -,
*, /, %) and bitwise operators (&, |, <<, >>, ~,^) can also be utilised. String
identifiers can also be used as Boolean variables within a condition, with their
value based on whether or not the related string is present in the file.
One important point to keep in mind while writing YARA rules is that if the YARA
rule is too generic, it may result in false positives, and if the rule is too specific, it
may not identify all the malicious practices. Therefore, it is critical to fine-tune the
rule and balance the pattern.

< Cyber Intelligence > - 4 -

 < YARA Threat Hunting >

YARA RULE #1
[ EMAIL ]
GuLoader Malspam for Remcos RAT.

Figure 1: GuLoader Malspam for Remcos RAT

[ TYPE OF EMAIL ]

Fake package delivery malspam.

[ MOTIVATION BEHIND CREATING THE YARA RULE ]

Save organizations/people from falling prey to disguised mails.

[ WHAT PURPOSE IS IT SOLV ING? ]

The rule will be identifying the keywords of fake delivery package mails and helping
in threat hunting by proactively checking for malicious mails and blocking them.

[ EXPLANATION OF THE RULE ]

/* The rule contains three sections – meta, strings and condition.

We have defined the keywords list in the strings section that we want to search in an
email. The keywords list is not extensive, but we have tried to cover the basic/usual
keywords used in similar emails. We have also defined exceptions including domain
of legitimate delivery services like FedEx, Delhivery, etc., which we do not intend to
block. We have specifically included a subject variable to identify the malicious
package delivery mails from the subject, as the subjects of such mails are common
and include recurring keywords.

< Cyber Intelligence > - 5 -

 < YARA Threat Hunting >

As the mail also includes a downloadable file or attachment, we have written a rule
to block such files by including file pattern variable that will identify .xlsx, .docx,
.pdf, .zip, and other type files.
Our rule also includes a condition that will check all the mails and will trigger a
match with any combination of the specified keywords and file patterns that does
not include the stated exceptions. This will help us in blocking malicious looking
emails and prevent us from blocking the emails from legitimate domains. */
{ YARA RULE }

rule Ru le_ GuL oa de r

meta :

auth or = “ Gro up 03 ”

crea ted = “06 -0 2- 2022 ”

desc rip tio n = “ YA RA R ule fo r M al sp ams Rel ate d t o Co urie r

and Shi ppi ng Se rv ices ”

stri ngs :

$con ten t_t ype = / cont ent \- t ype /( \: |\=) \s{ 0,5 }te xt \/ html /
asci i w ide no ca se

$sub jec t =
/(su bje ct) \s{ 0, 3} ( \:| \=) \s{ 0,5 }( re |fwd )? ( \: ) ?\s {0 ,5 }(sh ipm e
nt\s id| inv oic e \ si d|id |or der \si nf or mati on| shi pme nt |f aile d \s d
eliv ery |st atu s \ si d|pa cka ge| shi pp in g|pa cke t|n oti fi ca tion |co n
firm ati on| bil li ng \sid |in for mat io n| rece ipt |tr ack in g \ sid| pen d
ing\ sde liv ery |p en ding \ss hip men t| ur gent |at ten tio n| im port ant |
purc ha s e\s ord er )[ \s\- \_] {0, 9} [ a- z0 -9\s ] { 0,2 0}/ a sc ii w ide
noca se

$fil e_p att ern =

/(fi le| att ach me nt )? \s {0, 3}n ame \s {0 ,7}( \:| \=) \s{ 0, 7} ( \’| \”) \
s{0, 3}( inv oic e| in v0ic e|p ack ing |l is t|bi ll| pac ket |p ak et|u nti t
led\ sdo cum ent |u nt itle d \s d0c ume nt |d ocum ent s|d 0cu me nt s|do cum e
nt|d 0cu men t|e xp re ss \s not ifi cat io n| expr ess \sn 0ti fi ca tion |no t
ific ati on| not if ic atio n)? s{0 ,7} [a -z 0-9\ s\& \-
\_]{ 0,2 0} \ s{0 ,6 } \ .(xl sx| xls m|x ls |d ocx| doc m|d oc| pd f| zip) \s{ 0
,6}( \’| \”) / a sc ii wid e n oca se

$key wor ds =
/(de ar \ scu sto me r| good \sm orn ing |g oo d \sa fte rno on| go od \sev eni n
g|he llo \sd ear |d ea r \st eam |sh ipp ed |r eady |pa cka ge| de li very |pi c
kup| shi pme nt| tr ac king \sn umb er| tr ac king \sn o \ . |re ce ip t|se ttl e
ment |un del ive re d| un \-
deli ver ed| ret ur ne d|re tur n|a rri va l| cour ier |pa rce l| fa iled \sd e
live ry| fai led \s sh ipme nt| pen din g \ ss hipm ent |im por ta nt \ssh ipm e
nt|e xpi re| unf or tu nate ly| sor ry| re fe renc e|p ack et| ur ge nt \s act i
on|r equ ire d \s ac ti on|p ost al| fai le d \ satt emp t|a tte mp t| comp let e
\spa yme nt| ple as e \ sver ify |pl eas e \ sd ownl oad |do wnl oa d| addr ess |

< Cyber Intelligence > - 6 -

 < YARA Threat Hunting >

ship pin g \s add re ss |err or| mis tak e| re ach| att ach ed| at ta chme nt| p
leas e \s ope n|l is t| pack ing |pa cki ng \s list |wr ong \ss hi pp ing| wro n
g|de liv ery \sf ai lu re| b ill |co mpl et e \ spay men t | e xpe ct ed \sde liv e
ry|s hip pin g \s fe es |tra cki ng \ sco de |c onfi rma tio n |s hi pp ing \ sdo c
umen ts | del ive ry \s sta t us| cli ck \ sh er e|sc hed ule d \s de li very |he l
d\sp ack age |he ld |n ot \s pic ked |re mi nd er|u rge nt| ope n \ sd ocum ent |
open \sa tta chm en t| resc hed ule |ad di ti onal \sc ost |no t \ sd eliv ere d
|sto ppe d \s del iv er y|re \-d eli ver y| re \-
deli ver |co nfi rm \s deta ils |cu rre nt \s stat us| che ck \ sn ow |cla im \ s
owne rsh ip ) / a sc ii wid e n oca se

$exc ept ion s =

/(\@ fed ex \ .co m| \@ dtdc \.c om| \@b lu ed art \ .co m| \ @de lh iv ery \ .co m
|\@d hl \ .co m| \ @g at i \.c om| \@a dan i \ .c om| \ @sa fee xpr es s \ .com | \@ e
come xpr ess \.i n | \@ indi apo st \ .go v \ .i n |\@ fir stf lig ht \. net | \@g o
java s \. com | \@ sh ip rock et \ .co m|) / as cii wid e n oca se

cond iti on:

($su bje ct and $ fi le_p att ern ) a nd ( $key wor ds) or

($co nte nt_ typ e) a nd n ot ($e xce pt io ns)

Figure 2: YARA rule for blocking malspams related to Courier and Shipping Services

< Cyber Intelligence > - 7 -

 < YARA Threat Hunting >

[ ARTIFACTS ]
The following results were achieved on running the YARA rule on the above mail.

Figure 3: Results obtained on running the YARA rule on GuLoader malspam

YARA RULE #2
[ EMAIL ]
2.0_pdfiso.eml

Figure 4: 2.0_pdfiso.eml Email

< Cyber Intelligence > - 8 -

 < YARA Threat Hunting >

[ TYPE OF EMAIL ]

Redirected mail for internal investigation of malware.

[ MOTIVATION BEHIND CREATING THE YARA RULE ]

The attached email or the attachment(s) has not been delivered to the intended
recipient(s). If it is opened, it might infect the computer with malware. Considering
this fact, it was important to create YARA rules to detect the mail for malware if it is
sent to any recipient.

[ WHAT PURPOSE IS IT SOLV ING? ]

The rule will help in identifying keywords for a malspam in Spanish while increasing
the efficiency of threat hunting process for effectively blocking suspicious spam
mails.

[ EXPLANATION OF THE RULE ]

/* The rule contains three sections – meta, strings and condition.

Meta consists of the general information about the YARA rule. Under the string
section we have defined all the keywords that we are looking for. Since the mail is in
Spanish language, we have tried to cover the basic keywords that are used in this
language for carrying out the malicious activities. Subject variable is included in the
rule to identify malicious mail as subject of such mails are common and have similar
number pattern in this case.
The mail also consists of an attachment whose name is similar to the subject name.
The file is in PDF format but we have also included .xls, .xlm, .xlsm, and .xlsx type
files. The sender of the email is dialogo@bsqsolar.com. On investigating the domain
name of the mail ID on VirusTotal, we found it to be totally safe due to which we were
unable to decide on any exceptions in the stated rule. The rule also consists of
conditions where we are executing the strings in such a way that it is accommodating
all the strings we have implemented. */

{ YARA RULE }

rul e D ete ct_ Ha la _Mad rid

me ta:

auth or = " Gro up 03 "

date = "07 -02 -2 02 2"

desc rip tio n = " To det ect th e f or wa rded ma il of a po tent ial

malw are "

st rin gs:

$con ten t_t ype =

< Cyber Intelligence > - 9 -

 < YARA Threat Hunting >

/con ten t \- typ e( \: |\=) \s{ 0,5 }te xt \/ plai n/ asc ii wi de noc ase

$Sub jec t=

/(su bje ct) ( \: )\ s{ 0,3} [0 - 9]{ 4,6 } \ _[ 0 -9] {0, 5}/ as ci i wide
noca se

$fil e_p att ern =

/(fi le| att ach me nt )nam e \= [0 - 9]{ 4, 6} ( \s| \-| \_) {0, 3} [0 -
9]{0 ,5} ( \. )(p df |x ls|x lsx |xl sma |d oc |doc x)( \.) (is o| dm g|t6 4)/
asci i w ide no ca se

$key wor ds =

/(á Aqu Ã|t ien es |Q ueri do| est ima do |A mado |Ca ro| Por |A ma ble| Bue n
oa\s dia s|f avo r| fi rme| dev uel va| re gr eso| rec ono cer |a dj unto |ar c
hiav o|G rac ias |S al udos |At ent ame nt e) / as cii wi de no ca se

co ndi tio n:

($co nte nt_ typ e) a nd ( $Su bj e ct) a nd ($f ile _pa tte rn ) and
($ke ywo rds )

Figure 5: YARA rule for blocking malspams in Spanish

< Cyber Intelligence > - 10 -

 < YARA Threat Hunting >

[ ARTIFACTS ]
The following results were achieved on running the YARA rule on the above mail.

Figure 6: Results obtained on running the YARA rule on Spanish malspams

< Cyber Intelligence > - 11 -

 < YARA Threat Hunting >

YARA RULE #3
[ EMAIL ]
Malicious email with random from address.

Figure 7:Malicious email with random from address

[ TYPE OF EMAIL ]

Order inquiry.

[ MOTIVATION BEHIND CREATING THE YARA RULE ]

Prevent people from downloading malware into their system.

[ WHAT PURPOSE IS IT SOLV ING? ]

The rule will block suspicious order-related emails containing the malware as
downloadable files.

[ EXPLANATION OF THE RULE ]

/* The rule includes three sections – meta, strings, and condition.

Primarily we have picked up the subject that includes fake order content. We have
identified the keyword that could be part of such an email’s subject. The mail doesn’t
have any mail body that makes it suspicious and therefore, we could not add any
keywords for the body.
The mail contains a downloadable .rar file, which has a mistrustful name; hence we
have identified such types of files for YARA to identify. */

< Cyber Intelligence > - 12 -

 < YARA Threat Hunting >

{ YARA RULE }

rule Ma lic iou s_ Ru le

meta :

Auth or= "Gr oup 03 "

Date = ”0 8 -0 2 -2 02 2"

Desc rip tio n= " To d etec t t he mal wa re in the at tac hm en ts f oun d

in t he mai l"

stri ngs :

$sub jec t =

/(su bje ct) \s{ 0, 5} ( \:| \-| \=) \s{ 0, 5} (re| fwd )? \ s{0 ,5 }( \:|\ -
|\=) (Or der |sh ip me nt|p rod uct |de li ve ry) \ s{0 ,5} (in qu ir y|st atu s
|enq uir y|u pda te |q uery |qu est ion |i nq uest ) \s {0, 5}/ a sc ii w ide
noca se

$fil ena me =

/(at tac h me nt| fi le name |na me) \s{ 0, 5} ( \=| \-

|\:) ? \s {0, 5}( \’ |\ “)\s {0, 5}( 0rd er |s hipm ent |pr odu ct |d eliv ery )
\s{0 ,5} (in qui ry |s tatu s|e nqu iry |u pd ate| que ry| que st io n|in que s
t)\s {0, 5} \ .(r ar |z ip|7 z|x ls| pdf ) \ s{ 0,5} ( \= |\ -
|\:) ? \s {0, 5}( \' |\ ")/ asc ii wid e no case

$con ten tty pe=

/con ten t\- typ e( \: |\=) \s{ 0,5 }te xt \/ html / a sci i w id e noca se

cond iti on:

($su bje ct) an d ($ file nam e) and ( $c onte ntt ype )

< Cyber Intelligence > - 13 -

 < YARA Threat Hunting >

Figure 8: Yara rule for blocking suspicious order-related malware emails

[ ARTIFACTS ]
The following results were achieved on running the YARA rule on the above mail.

Figure 9: Results obtained on running the YARA rule on order-related emails

< Cyber Intelligence > - 14 -