Yara Binary Code Analysis
by
HW03: Yara Binary Code Analysis
This assignment will build upon HW02 by having you use IDA Free or any other tool you wish to use, to identify one or more blocks of code to write a yara signature that performs a binary pattern match.
You will need to provide the sample Id (filename, or checksum) of the malware sample you built the rule from, as well as the location in the file/program that the binary code was identified. Include the disassembly (the x86 instructions) for the code that you’re matching.
In this example, you will work off of the malware samples you picked for HW02. Build a yara signature with at least four strings demonstrating the following features in yara, and matching on at least four different places within the program code. You’ll need to identify common code between the samples you matched from HW02, or if you prefer you can try to hunt for a new group of similar malware samples. Feel free to implement more than merely four strings, but you need at least one example of each of the following string types:
- Static binary data (so, no wildcards)
- Binary data containing wild cards (? and ??)
- Binary data containing ranges (using the [] and numbers)
- Binary data containing byte alternatives ( 45 | 46 | 67 | … | )
In the Yara Documentation, these are called Hexadecimal Strings.
Your signature needs to meet the following matching criteria:
- All strings must match at least one place in 2 or more of the malware samples from your group identified in HW02
- The strings must not match on any legitimate windows binaries (I will test against a set of files collected from my Windows XP, 7, and 10 VMs
Your yara strings implementing the wild cards, ranges, and byte alternatives must be able to match code employing the following variations, in at least two samples from your malware group:
- Different register arguments
- Different address references
- Different immediate constants
- For Range(s): You’ll need to demonstrate at least one place where different numbers of instructions are “skipped” by the range(s) between match-patterns
If you want, you are more than welcome to select another group of malware samples from the data set. You may choose to do this if your choices from HW02 are proving difficult to build match signatures for.
tags: malware yara assignment