CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
9 March 2018

Yara Binary Code Analysis


HW03: Yara Binary Code Analysis

This assignment will build upon HW02 by having you use IDA Free or any other tool you wish to use, to identify one or more blocks of code to write a yara signature that performs a binary pattern match.

You will need to provide the sample Id (filename, or checksum) of the malware sample you built the rule from, as well as the location in the file/program that the binary code was identified. Include the disassembly (the x86 instructions) for the code that you’re matching.

In this example, you will work off of the malware samples you picked for HW02. Build a yara signature with at least four strings demonstrating the following features in yara, and matching on at least four different places within the program code. You’ll need to identify common code between the samples you matched from HW02, or if you prefer you can try to hunt for a new group of similar malware samples. Feel free to implement more than merely four strings, but you need at least one example of each of the following string types:

In the Yara Documentation, these are called Hexadecimal Strings.

Your signature needs to meet the following matching criteria:

Your yara strings implementing the wild cards, ranges, and byte alternatives must be able to match code employing the following variations, in at least two samples from your malware group:

If you want, you are more than welcome to select another group of malware samples from the data set. You may choose to do this if your choices from HW02 are proving difficult to build match signatures for.


tags: malware yara assignment