Yara Binary Code Analysis

by

HW05: Yara Binary Code Analysis

This assignment will build upon HW04 by having you use IDA Free or any other tool you wish to use, to identify one or more blocks of code to write a yara signature that performs a binary pattern match.

You will need to provide the sample Id (filename, or checksum) of the malware sample you built the rule from, as well as the location in the file/program that the binary code was identified. Include the disassembly (the x86 instructions) for the code that you’re matching.

In this example, you will work off of the malware samples you picked for HW04. Build a yara signature with at least four strings demonstrating the following features in yara, and matching on at least four different places within the program code. Feel free to simply expand your strings signature from HW04 for this submission.

• Static binary data (so, no wildcards)
• Binary data containing wild cards (? and ??)
• Binary data containing ranges (using the [] and numbers)
• Binary data containing byte alternatives ( 45 | 46 | 67 | … | )

In the Yara Documentation, these are called Hexadecimal Strings.

Your new rule may also match other malware samples. Include a list of all matching samples in your submission.

Unlike the strings analysis, you will not be required to restrict your hexadecimal strings to not detect on any legitimate windows programs.

Home