Find Neshta-infected files with YARA.
Month: December 2021
100 Days of YARA – Day 11: UPX
Find UPX-packed binaries with YARA.
REVIEW: Reversing: Secrets of Reverse Engineering
Book review of Reversing: Secrets of Reverse Engineering.
REVIEW: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
My review of Practical Malware Analysis.
100 Days of YARA – Day 10: WinSock
Detect applications utilizing WinSock with YARA.
100 Days of YARA – Day 9: Berkeley Sockets
Detect applications likely to be using sockets with YARA.
100 Days of YARA – Day 8: Salsa20
Salsa20 is a stream cipher used by various ransomware software: https://appuals.com/grandcrab-ransomware-v4-1-2-theft-prevented-with-salsa20-algorithm/https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.htmlhttps://www.acronis.com/en-us/articles/sodinokibi-ransomware/ I took a similar approach to the rules in previous posts to find MD5 and SHA256 implementations. I found a constant by reading the source code of a Salsa20 implementation on GitHub and looking for unique constants: https://github.com/alexwebr/salsa20/blob/master/salsa20.c#L118-L125 This was able to detect Sodinokibi …
100 Days of YARA – Day 7: SHA256
Here is an example using the same approach outlined in the previous post about identifying MD5 constants, but applied to SHA256. I used OpenSSL's source code to determine these constants and re-arranged each constant into little-endian byte sequences: https://github.com/openssl/openssl/blob/master/crypto/sha/sha256.c rule sha256_constants { meta: description = "SHA256 constants" strings: $ = { 852c7292 } $ = …
100 Days of YARA – Day 6: MD5
Find applications implementing the MD5 algorithm with YARA.
100 Days of YARA – Day 5: Shell Scripts Two Ways!
Find scripts with YARA.
100 Days of YARA – Day 4: Identifying Mach-O Files and Java Classes
Detect Mach-O binaries with YARA.
100 Days of YARA – Day 3: ELF Files
Identify ELF files with YARA.