Hunting Evil with YARA (Linux Edition)

Hunting for Evil Within Memory Images with YARA

Incorporating YARA extends the capabilities of memory forensics, a pivotal technique in malware analysis and incident response. It equips us to traverse memory content, hunting for telltale signs or compromise indicators.

YARA's memory image scanning mirrors its disk-based counterpart. Let's map out the process:

• Create YARA Rules: Either develop bespoke YARA rules or lean on existing ones that target memory-based malware traits or dubious behaviors.

• Compile YARA Rules: Compile the YARA rules into a binary format using the yarac tool (YARA Compiler). This step creates a file containing the compiled YARA rules with a .yrc extension. This step is optional, as we can use the normal rules in text format as well. While it is possible to use YARA in its human-readable format, compiling the rules is a best practice when deploying YARA-based detection systems or working with a large number of rules to ensure optimal performance and effectiveness. Also, compiling rules provides some level of protection by converting them into binary format, making it harder for others to view the actual rule content.

• Obtain Memory Image: Capture a memory image using tools such as DumpIt, MemDump, Belkasoft RAM Capturer, Magnet RAM Capture, FTK Imager, and LiME (Linux Memory Extractor).

• Memory Image Scanning with YARA: Use the yara tool and the compiled YARA rules to scan the memory image for possible matches.

For instance, we have a memory snapshot named compromised_system.raw (residing in the /home/htb-student/MemoryDumps directory of this section's target) originating from a system under the siege of WannaCry ransomware. Let's confront this image with the wannacry_artifacts_memory.yar YARA rule (residing in the /home/htb-student/Rules/yara directory of this section's target).

yara /home/htb-student/Rules/yara/wannacry_artifacts_memory.yar /home/htb-student/MemoryDumps/compromised_system.raw --print-strings

Beyond standalone tools, diving deeper into memory forensics offers a plethora of avenues. Integrating YARA within memory forensics frameworks amplifies its potential. With the Volatility framework and YARA operating in tandem, WannaCry-specific IOCs can be detected seamlessly.

Single Pattern YARA Scanning Against a Memory Image

In this case, we'll specify a YARA rule pattern directly in the command-line which is searched within the memory image by the yarascan plugin of Volatility. The string should be enclosed in quotes (") after the -U option. This is useful when we have a specific YARA rule or pattern that we want to apply without creating a separate YARA rules file.

From previous analysis we know that WannaCry malware attempt to connect to the following hard-coded URI www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Introducing this pattern within the command line using -U "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" prompts a search within the compromised_system.raw memory image.

vol.py -f /home/htb-student/MemoryDumps/compromised_system.raw yarascan -U "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"

This option allows us to directly specify a YARA rule string within the command-line itself. Let's see how we can search for the content of a whole YARA rule file (i.e. .yar rule file) in memory image files.

Multiple YARA Rule Scanning Against a Memory Image

When we have multiple YARA rules or a set of complex rules that we want to apply to a memory image, we can use the -y option followed by the rule file path in the Volatility framework, which allows us to specify the path to a YARA rules file. The YARA rules file (wannacry_artifacts_memory.yar in our case) should contain one or more YARA rules in a separate file.

The YARA rules file we will use for demostration purposes is the following.

cat /home/htb-student/Rules/yara/wannacry_artifacts_memory.yar

vol.py -f /home/htb-student/MemoryDumps/compromised_system.raw yarascan -y /home/htb-student/Rules/yara/wannacry_artifacts_memory.yar

We can see in the results that the yarascan plugin in Volatility is able to find the process svchost.exe with PID 1576 in the memory image of the compromised system.

In summary, the -U option allows us to directly specify a YARA rule string within the command-line, while the -y option is used to specify the path to a file containing one or more YARA rules. The choice between the two options depends on our specific requirements and whether we have a single rule or a set of rules to apply during the analysis.

Q & A

1) Study the following resource https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html to learn how WannaCry performs shadow volume deletion. Then, use yarascan when analyzing "/home/htb-student/MemoryDumps/compromised_system.raw" to identify the process responsible for deleting shadows. Enter the name of the process as your answer.

nano shadow_volume_deletion

rule ShadowVolumeDeletion
{
    meta:
        description = "Detects shadow volume deletion activities"
        author = "Fares Morcy"
        last_modified = "2024-04-03"

    strings:
        $vssadmin_delete = "vssadmin delete shadows"
        $vssadmin_delete_all = "vssadmin delete shadows /all"
        $wmic_shadow_delete = "wmic shadowcopy delete"
        $wmic_shadow_delete_all = "wmic shadowcopy delete /all"
        $cmd_args = "-delete"

    condition:
        any of ($vssadmin_delete, $vssadmin_delete_all, $wmic_shadow_delete, $wmic_shadow_delete_all) or
        any of ($cmd_args)
}

vol.py -f /home/htb-student/MemoryDumps/compromised_system.raw yarascan -y /home/htb-student/Rules/yara/shadow_volume_deletion

Answer: @WanaDecryptor@