Hunting Evil with YARA (Linux Edition)
Last updated
Last updated
Incorporating YARA extends the capabilities of memory forensics, a pivotal technique in malware analysis and incident response. It equips us to traverse memory content, hunting for telltale signs or compromise indicators.
YARA's memory image scanning mirrors its disk-based counterpart. Let's map out the process:
Create YARA Rules
: Either develop bespoke YARA rules or lean on existing ones that target memory-based malware traits or dubious behaviors.
Compile YARA Rules
: Compile the YARA rules into a binary format using the yarac
tool (YARA Compiler). This step creates a file containing the compiled YARA rules with a .yrc
extension. This step is optional, as we can use the normal rules in text format as well. While it is possible to use YARA in its human-readable format, compiling the rules is a best practice when deploying YARA-based detection systems or working with a large number of rules to ensure optimal performance and effectiveness. Also, compiling rules provides some level of protection by converting them into binary format, making it harder for others to view the actual rule content.
Obtain Memory Image
: Capture a memory image using tools such as DumpIt, MemDump, Belkasoft RAM Capturer, Magnet RAM Capture, FTK Imager, and LiME (Linux Memory Extractor).
Memory Image Scanning with YARA
: Use the yara
tool and the compiled YARA rules to scan the memory image for possible matches.
For instance, we have a memory snapshot named compromised_system.raw
(residing in the /home/htb-student/MemoryDumps
directory of this section's target) originating from a system under the siege of WannaCry
ransomware. Let's confront this image with the wannacry_artifacts_memory.yar
YARA rule (residing in the /home/htb-student/Rules/yara
directory of this section's target).
Beyond standalone tools, diving deeper into memory forensics offers a plethora of avenues. Integrating YARA within memory forensics frameworks amplifies its potential. With the Volatility framework and YARA operating in tandem, WannaCry-specific IOCs can be detected seamlessly.
In this case, we'll specify a YARA rule pattern directly in the command-line which is searched within the memory image by the yarascan
plugin of Volatility. The string should be enclosed in quotes ("
) after the -U
option. This is useful when we have a specific YARA rule or pattern that we want to apply without creating a separate YARA rules file.
From previous analysis we know that WannaCry malware attempt to connect to the following hard-coded URI www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Introducing this pattern within the command line using -U "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
prompts a search within the compromised_system.raw
memory image.
This option allows us to directly specify a YARA rule string within the command-line itself. Let's see how we can search for the content of a whole YARA rule file (i.e. .yar
rule file) in memory image files.
When we have multiple YARA rules or a set of complex rules that we want to apply to a memory image, we can use the -y
option followed by the rule file path in the Volatility framework, which allows us to specify the path to a YARA rules file. The YARA rules file (wannacry_artifacts_memory.yar
in our case) should contain one or more YARA rules in a separate file.
The YARA rules file we will use for demostration purposes is the following.
We can see in the results that the yarascan
plugin in Volatility is able to find the process svchost.exe
with PID 1576
in the memory image of the compromised system.
In summary, the -U
option allows us to directly specify a YARA rule string within the command-line, while the -y
option is used to specify the path to a file containing one or more YARA rules. The choice between the two options depends on our specific requirements and whether we have a single rule or a set of rules to apply during the analysis.
1) Study the following resource https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html to learn how WannaCry performs shadow volume deletion. Then, use yarascan when analyzing "/home/htb-student/MemoryDumps/compromised_system.raw" to identify the process responsible for deleting shadows. Enter the name of the process as your answer.
Answer: @WanaDecryptor@