YARA with Cyberchef
1. Introduction
Cyberchef is a powerful web app for encryption, encoding, compression and data analysis. I've used it allready in a crypto exercise previously.
In this exercise I'll use cyberchef to check a specific binary against a yara rule.
We need some malware samples. If you haven't download them allredy you can find them here:
cd /home/hacker/
git clone https://github.com/fabrimagic72/malware-samples.git
cd /home/hacker/malware-samples
2. Cyberchef and grandcab.bin
Please open CyberChef in your browser
https://gchq.github.io/CyberChef/
And add the following malware as input
from the malware-samples
folder
/home/hacker/malware-samples/Ransomware/Grandcrab/grandcab.bin

Please search yara
in the left menu.
Add yara
to CyberChef
and use the following rule:
rule maldoc_getEIP_method_1 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
$a
}

3. Cyberchef and $ucylocker.bin
Our next malwaresample is $ucylocker.bin. Cyberchef has a unzip feature, but this isn't working yet. See: https://github.com/gchq/CyberChef/issues/1161
Because of that reason we have to unzip the malware first. Password for the zip file is: infected
7z x 86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.zip

Add the newly created file /home/hacker/malware-samples/Ransomware/$ucyLocker/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.bin
Add the same yara rule as in the previous step
rule NETexecutableMicrosoft
{
meta:
author="malware-lu"
strings:
$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }
condition:
$a0
}

Last updated
Was this helpful?