#100DaysOfYARA - Day 15 (a little behind)
I used @REMnux 's MCP, to extract a payload from an (unknown to me) malware, I'm now tracking as AxolotlLoader. I used the MCP to build a YARA rule based off of the XOR decryption function.
Rule at end
1/5
#100DaysofYARA Day 14
Checkpoint published research on VoidLink C2 framework.
They call it "advanced malware framework"; but maybe I'm not sure what "advanced" means in this context.
Rule at end
1/2
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
#100DaysofYara - day 13
Came across a low detection malware which seems YARA resistant. Currently in use by ransomware actor.
I'll post some thoughts, but would love suggestions from others.
I'll explain the malware and show the best I could come up with.
Rule at bottom
1/7
#100daysofYARA - day 12
VirusTotal uses CAPE sandbox to identify many malware families and determine if they can extract the malware's configuration. Since they use CAPE, we can often see their logic. Today, we'll suggest edits to a rule for AgentTesla.
Rule at end.
1/10
#100DaysofYARA - Day 11
In looking at automatic YARA generation, yarGen-Go is a must. Just released by @cyb3rops, it is a rewrite and advancement from the original yarGen.
We'll look at the same malware from day 10; a targeted HavocC2 loader with decoy.
rule at bottom
1/5
#100DaysofYara - day 10
There are a few lines of thinking around automatic YARA generation. I'm exploring these as part of this challenge. Today's we'll look at MCRIT.
MCRIT asks what do we learn by comparing samples? Can we find functions unique to the family?
rule at end
1/5
#100DaysofYARA - Day 9
YARA looks for the header used in a .SCPT file used by BlueNoroff (DPRK) to target MacOS systems.
Script is delivered to victims disguised as a Zoom meeting launcher.
e.g. a7c7d75c33aa809c231f1b22521ae680248986c980b45aa0881e19c19b7b1892
Rule at end
1/3
Repo “100daysofyara” aggregates sporadic YARA contributions linked to the #100DaysOfYara challenge, providing a community-focused collection of detection rules and examples. #yara #tool https://bit.ly/456s4cp
#100DaysofYARA - Day 8
For many years, many attackers tried to keep their binaries small. However, the others found the opposite works too: extremely large binaries can cause problems with analysis.
What can be done about these large executables?
Rule at end
1/6
#100DaysofYARA - Day 7
@malwrhunterteam identified a suspicious file signed by "Xiamen Jialan Guang Information Technology Service Co., Ltd."
While we have a pretty good idea it'll be abused, it hasn't been yet.
So, lets watch for it to be abused.
Rule at end
1/5
#100DaysofYARA - Day 6
In December and again in January, an unknown actor replaced the download on EmEditor's website with a malicious installer. Each time, the download was a trojan installer with a valid code-signing signature.
How can we detect this?
Rule at end
1/6
#100DaysofYARA - day 5
The Cert Graveyard project reports and documents abuse code-signing including Apple issued certificates.
When reporting a certificate, we want to ensure Apple has all the identifiers they need to investigate and act.
Rule at end
1/7
#100DaysofYARA - Day 4
One heavy user of code-signing certificates is Rhysida Ransomware.
In June, I created a YARA rule focusing on their malware to help me find and report their certificates. To do so, I had to create a YARA rule on the Rich PE Header.
Rule at end
1/7
#100DaysofYARA - Day 3
This relates to obfusheader discussed by @RussianPanda95 and @c0ner0ne.
If the dev is going to use hard-coded strings, lets use them to our advantage.
This thread will demo Malcat's YARA features.
Rule at end of thread
1/5
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
#100DaysofYARA - Day 2
YARA rule to detect the default Delphi darkmode dib icon.
I've seen this icon excessively over the years. Using @unpacme 's YARA hunting tools, I saw 0 known goodware and 800 packed junk.
Rule at end
1/4
First day of #100daysOfYara
This YARA rule detects a technique used in #TrashAgent malware. The malware has a hard-coded list of apps to check for on the system. This YARA looks for the way they parse the list.
In the image, the list is demarcated with "nepo"
rule at end
1/7
🚨#100DaysofYARA lives!!
2 time reigning champ Yashraj
has kindly offered to take the helm for this community effort! Give the homie a follow 👊
Check the repo to contribute: github.com/100DaysofYARA
And gear up for Jan 1 when #100DaysofYARA will kick off!
I wrote how to use knowledge about .NET structures and streams for writing .NET Yara signatures.
E.g. IL code patterns, method signature definitions, GUIDs, compressed length
#GDATATechblog #100DaysOfYara
www.gdatasoftware.com/blog/2025/04...
I doubt this is new ground, but just recently started using this Yara to help identify potential entry point(s) in shellcode. Have a video that highlights it's usage as well as the -s arg for showing offsets:
buff.ly/4ibEkwZ
Always more to learn! Is it too late for #100DaysOfYara?! 😉
My YARA rule for detecting the b64 routine seen in the Coyote Banking Trojan
The entire infection chain for Coyote https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files
Postponing PMRP prep with my second rule for #100DaysOfYARA. This one focuses on finding the B64 decoding routine seen in the final stages of the Coyote Banking Trojan. www.fortinet.com/blog/threat-...
This #100daysofyara shows but bad rules can be good when used correctly :)
Im using it for targeted live strings extraction in Velociraptor and some cool workflow to drive things like building yara rules.
The screenshot shows VQL to dynamically generate a yara rule to preferred string size.
Allllll caught up on my #100DaysOfYara challenges/days/whatever
Also going to be doing much more Macho because I have been working on Offsec's MacOS Exploit Dev course
github.com/augustvansic...
#100DaysOfYara Day 32
Todays sample is a sh file, typically a script on unix based systems. It calls different files from a C2 hosting, gives them 'chmod 777' permissions (so it can execute), executes them on disk, and removes the file after execution in memory.
github.com/augustvansic...
Todays #100daysofyara rule targets the CISA report for this Contec CMS8000 backdoor
Rule: github.com/mgreen27/100...
#100DaysOfYara Day 31
PE32, tagged to CredentialFlusher but has some elements in strings from the AutoIT V3 malware
www.itfunk.org/cyber-threat...
github.com/augustvansic...
#100DaysOfYara Day 30
PE32 EXE that appears to be loaded/hidden as a nullsoft installer application with very little detail in properties
github.com/augustvansic...
