YARA with Cyberchef

1. Introduction

Cyberchef is a powerful web app for encryption, encoding, compression and data analysis. I've used it allready in a crypto exercise previously.

In this exercise I'll use cyberchef to check a specific binary against a yara rule.

We need some malware samples. If you haven't download them allredy you can find them here:

cd /home/hacker/
git clone https://github.com/fabrimagic72/malware-samples.git
cd /home/hacker/malware-samples

2. Cyberchef and grandcab.bin

Please open CyberChef in your browser

https://gchq.github.io/CyberChef/

And add the following malware as input from the malware-samples folder

• /home/hacker/malware-samples/Ransomware/Grandcrab/grandcab.bin

Please search yara in the left menu.

Add yara to CyberChef and use the following rule:

rule maldoc_getEIP_method_1 : maldoc
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
    strings:
        $a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
    condition:
        $a
}

3. Cyberchef and $ucylocker.bin

Our next malwaresample is $ucylocker.bin. Cyberchef has a unzip feature, but this isn't working yet. See: https://github.com/gchq/CyberChef/issues/1161

Because of that reason we have to unzip the malware first. Password for the zip file is: infected

7z x 86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.zip

Add the newly created file /home/hacker/malware-samples/Ransomware/$ucyLocker/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.bin

Add the same yara rule as in the previous step

rule NETexecutableMicrosoft
{
      meta:
                author="malware-lu"
strings:
                $a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }

condition:
                $a0
}