Yara Static Analysis Using Strings, Observables
HW02: Yara Static Analysis Using Strings, Observables
Due: Sunday, 2018-03-18 11:55PM
We have discussed using Yara as a pattern-matching engine to identify and categorize malware samples. For this assignment, you are to select a malware sample from the following ZIP bundle, and use strings and metadata analysis to extract some significant strings and metadata from the malware and build a yara rule that meets the following criteria:
- The malware sample is an EXE file
- Matches the artifact you chose
- Matches other artifacts that are from the same family
- Doesn’t match on any legitimate windows programs
- Must use at least one feature from one of the following Yara modules: pe, dotnet (where applicable), math
This means that you will have to go through the malware samples provided, and review multiple malware samples, and then find a few that appear similar. Typically, files containing similar strings, as well as those for which objdump displays similar DLL imports and imported symbols, are both good ways to identfiy similarities. Note that you may need to repeat this cycle multiple times to pinpoint malware for which you have sufficient number of samples for.
You may use any of the other yara modules as well. You just at least need to employ the facility of one of the ones listed above.
Your submission will consist of a yara signature attached to your submission. In the comments for your submission, you should describe which malware sample(s) you used to derive your signature (either the filenames, MD5, SHA-1, or SHA-256 checksums will be fine) as well as which malware samples you found to be matched by your signature. So, for instance, after you’ve written your signature, and run it against the full directory of samples, you might find that it matches other malware I provided but you did not necessarily use to build the signature.
The ZIP file download link and details will be listed in the blackboard homework assignment description.