Professional Documents
Culture Documents
GroupNo3 CI Assignment2
GroupNo3 CI Assignment2
HUNTING
(CREATING YARA RULES)
META:
Author = "Group No. 03 | MBA - ITBM (2020 - 22)"
Date = "08-02-2022"
Submitted to = "Shyam Sundar Ramaswami Sir"
Version = "Assignment 02"
Subject = "Cyber Intelligence"
< YARA Threat Hunting >
KEYWORDS IDENTIFIED IN
MALSPAMS AND PHISHING MAILS
ABOUT YARA
YARA is a free and open-source tool that aids malware researchers in identifying and
classifying malware samples, among other things. We can use YARA to construct
descriptions of malware families (or any other thing that is needed to be described)
based on textual or binary patterns. Each rule, or description, is made up of a set of
strings and a Boolean expression that determines the logic of the rule.
The YARA rules are designed to detect malware that has a specific pattern and
indicators. Once a rule has been developed, it can be scanned against various files
to detect malicious behavior. In addition, YARA rules are used in Incident Response
and Forensics to find artifacts based on a pattern.
Binary strings with wildcards, case-insensitive text strings, special operators, regular
expressions, and a variety of other features can all be used to develop complex and
powerful rules using YARA.
YARA is a multi-platform tool that works on Windows, Linux, and Mac OS X.
Each YARA rule is made up of the following components:
YARA RULE #1
[ EMAIL ]
GuLoader Malspam for Remcos RAT.
[ TYPE OF EMAIL ]
The rule will be identifying the keywords of fake delivery package mails and helping
in threat hunting by proactively checking for malicious mails and blocking them.
As the mail also includes a downloadable file or attachment, we have written a rule
to block such files by including file pattern variable that will identify .xlsx, .docx,
.pdf, .zip, and other type files.
Our rule also includes a condition that will check all the mails and will trigger a
match with any combination of the specified keywords and file patterns that does
not include the stated exceptions. This will help us in blocking malicious looking
emails and prevent us from blocking the emails from legitimate domains. */
{ YARA RULE }
meta :
auth or = “ Gro up 03 ”
stri ngs :
$con ten t_t ype = / cont ent \- t ype /( \: |\=) \s{ 0,5 }te xt \/ html /
asci i w ide no ca se
$sub jec t =
/(su bje ct) \s{ 0, 3} ( \:| \=) \s{ 0,5 }( re |fwd )? ( \: ) ?\s {0 ,5 }(sh ipm e
nt\s id| inv oic e \ si d|id |or der \si nf or mati on| shi pme nt |f aile d \s d
eliv ery |st atu s \ si d|pa cka ge| shi pp in g|pa cke t|n oti fi ca tion |co n
firm ati on| bil li ng \sid |in for mat io n| rece ipt |tr ack in g \ sid| pen d
ing\ sde liv ery |p en ding \ss hip men t| ur gent |at ten tio n| im port ant |
purc ha s e\s ord er )[ \s\- \_] {0, 9} [ a- z0 -9\s ] { 0,2 0}/ a sc ii w ide
noca se
$key wor ds =
/(de ar \ scu sto me r| good \sm orn ing |g oo d \sa fte rno on| go od \sev eni n
g|he llo \sd ear |d ea r \st eam |sh ipp ed |r eady |pa cka ge| de li very |pi c
kup| shi pme nt| tr ac king \sn umb er| tr ac king \sn o \ . |re ce ip t|se ttl e
ment |un del ive re d| un \-
deli ver ed| ret ur ne d|re tur n|a rri va l| cour ier |pa rce l| fa iled \sd e
live ry| fai led \s sh ipme nt| pen din g \ ss hipm ent |im por ta nt \ssh ipm e
nt|e xpi re| unf or tu nate ly| sor ry| re fe renc e|p ack et| ur ge nt \s act i
on|r equ ire d \s ac ti on|p ost al| fai le d \ satt emp t|a tte mp t| comp let e
\spa yme nt| ple as e \ sver ify |pl eas e \ sd ownl oad |do wnl oa d| addr ess |
ship pin g \s add re ss |err or| mis tak e| re ach| att ach ed| at ta chme nt| p
leas e \s ope n|l is t| pack ing |pa cki ng \s list |wr ong \ss hi pp ing| wro n
g|de liv ery \sf ai lu re| b ill |co mpl et e \ spay men t | e xpe ct ed \sde liv e
ry|s hip pin g \s fe es |tra cki ng \ sco de |c onfi rma tio n |s hi pp ing \ sdo c
umen ts | del ive ry \s sta t us| cli ck \ sh er e|sc hed ule d \s de li very |he l
d\sp ack age |he ld |n ot \s pic ked |re mi nd er|u rge nt| ope n \ sd ocum ent |
open \sa tta chm en t| resc hed ule |ad di ti onal \sc ost |no t \ sd eliv ere d
|sto ppe d \s del iv er y|re \-d eli ver y| re \-
deli ver |co nfi rm \s deta ils |cu rre nt \s stat us| che ck \ sn ow |cla im \ s
owne rsh ip ) / a sc ii wid e n oca se
Figure 2: YARA rule for blocking malspams related to Courier and Shipping Services
[ ARTIFACTS ]
The following results were achieved on running the YARA rule on the above mail.
YARA RULE #2
[ EMAIL ]
2.0_pdfiso.eml
[ TYPE OF EMAIL ]
The attached email or the attachment(s) has not been delivered to the intended
recipient(s). If it is opened, it might infect the computer with malware. Considering
this fact, it was important to create YARA rules to detect the mail for malware if it is
sent to any recipient.
The rule will help in identifying keywords for a malspam in Spanish while increasing
the efficiency of threat hunting process for effectively blocking suspicious spam
mails.
{ YARA RULE }
me ta:
st rin gs:
/con ten t \- typ e( \: |\=) \s{ 0,5 }te xt \/ plai n/ asc ii wi de noc ase
$Sub jec t=
/(su bje ct) ( \: )\ s{ 0,3} [0 - 9]{ 4,6 } \ _[ 0 -9] {0, 5}/ as ci i wide
noca se
/(fi le| att ach me nt )nam e \= [0 - 9]{ 4, 6} ( \s| \-| \_) {0, 3} [0 -
9]{0 ,5} ( \. )(p df |x ls|x lsx |xl sma |d oc |doc x)( \.) (is o| dm g|t6 4)/
asci i w ide no ca se
$key wor ds =
/(á Aqu Ã|t ien es |Q ueri do| est ima do |A mado |Ca ro| Por |A ma ble| Bue n
oa\s dia s|f avo r| fi rme| dev uel va| re gr eso| rec ono cer |a dj unto |ar c
hiav o|G rac ias |S al udos |At ent ame nt e) / as cii wi de no ca se
co ndi tio n:
($co nte nt_ typ e) a nd ( $Su bj e ct) a nd ($f ile _pa tte rn ) and
($ke ywo rds )
[ ARTIFACTS ]
The following results were achieved on running the YARA rule on the above mail.
YARA RULE #3
[ EMAIL ]
Malicious email with random from address.
[ TYPE OF EMAIL ]
Order inquiry.
The rule will block suspicious order-related emails containing the malware as
downloadable files.
{ YARA RULE }
meta :
Date = ”0 8 -0 2 -2 02 2"
stri ngs :
$sub jec t =
/(su bje ct) \s{ 0, 5} ( \:| \-| \=) \s{ 0, 5} (re| fwd )? \ s{0 ,5 }( \:|\ -
|\=) (Or der |sh ip me nt|p rod uct |de li ve ry) \ s{0 ,5} (in qu ir y|st atu s
|enq uir y|u pda te |q uery |qu est ion |i nq uest ) \s {0, 5}/ a sc ii w ide
noca se
$fil ena me =
/con ten t\- typ e( \: |\=) \s{ 0,5 }te xt \/ html / a sci i w id e noca se
[ ARTIFACTS ]
The following results were achieved on running the YARA rule on the above mail.