HW04: Yara Static Analysis Using Strings, Observables
We have discussed using Yara as a pattern-matching engine to identify and categorize malware samples. For this assignment, you are to select a malware sample from the following ZIP bundle, and use strings analysis to extract some significant strings from the malware and build a yara rule that meets the following criteria:
- The malware sample is an EXE file
- Matches the artifact you chose
- Matches other artifacts that are from the same family
- Doesn’t match on any legitimate windows programs
This means that you will have to go through the malware samples provided, and review multiple malware samples, and then find a few that appear similar. Typically, files containing similar strings, as well as those for which objdump displays similar DLL imports and imported symbols, are both good ways to identfiy similarities.
Your submission will consist of a yara signature attached to your submission. In the comments for your submission, you should describe which malware sample(s) you used to derive your signature (either the filenames, MD5, SHA-1, or SHA-256 checksums will be fine) as well as which malware samples you found to be matched by your signature. So, for instance, after you’ve written your signature, and run it against the full directory of samples, you might find that it matches other malware I provided but you did not necessarily use to build the signature.
The ZIP file download link and details will be listed in the blackboard homework assignment description.