100 Days of YARA – Day 4: Identifying Mach-O Files and Java Classes

There is a Mach-O module for Yara, but it wasn’t installed on my system. https://github.com/VirusTotal/yara/pull/1100

Unfortunately, I do not have any Mac systems or a good dataset of Mach-O binaries to test this rule with.

Based off of the PE and ELF examples in the prior posts, the fastest method has been using integers to identify magic byte sequences at

I was able to find many of these definitions here:

Unfortunately again, cafebabe is also the signature for compiled Java classes, which introduce a lot of false positives. After reading https://en.wikipedia.org/wiki/List_of_file_signatures, I came up with this rule:

rule macho
{
	meta:
		description = "Mach-O binaries"

	condition:
		uint32(0) == 0xfeedface or /* 32 bit */
		uint32(0) == 0xcefaedfe or /* NXSwapInt(MH_MAGIC */
		uint32(0) == 0xfeedfacf or /* 64 bit */
		uint32(0) == 0xcffaedfe or /* NXSwapInt(MH_MAGIC_64) */
		uint32(0) == 0xcafebabe or /* FAT, Java */
		uint32(0) == 0xbebafeca or /* NXSwapInt(FAT_MAGIC) */
		uint32(0) == 0xcafebabf or /* FAT 64 bit */
		uint32(0) == 0xbfbafeca    /* NXSwapLong(FAT_MAGIC_64) */
}

I made a separate rule for Java classes:

rule java_class_compiled
{
	meta:
		description = "Java Class"

	condition:
		uint32(0) == 0xbebafeca
}

I felt I spent enough time with this, and am accepting the false positives for now as I don’t have a ton of Mach-O or Java classes in my collection. I would like to revisit both of these rules to make them more accurate.


YARA Rules Index

One thought on “100 Days of YARA – Day 4: Identifying Mach-O Files and Java Classes

  1. Pingback: YARA Rules Index – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s