100 Days of YARA – Day 14: shc Generic Shell Script Compiler

On By DanielIn 100 days of Yara

shc compiles shell scripts into standalone ELF executables. While this software is not inherently malicious, it can save a lot of time if analysts are able to quickly identify samples built with this tool.

The shell script contents of shc-compiled binaries are protected with ARC4 encryption. This makes shc a popular choice for administrators attempting to mask the contents of scripts that contain secrets.

Earlier versions of shc were able to be decompiled with UnSHc: https://github.com/yanncam/UnSHc

The following Yara rule identifies samples built with shc:

rule shc
{
	meta:
		description = "Compiled with generic shell script compiler (shc)"
		reference = "https://github.com/neurobin/shc"
		decompiler = "https://github.com/yanncam/UnSHc"

	strings:
		$ = "=%lu %d"
		$ = "%lu %d%c"
		$ = "%s%s%s: %s"

	condition:
		uint32(0) == 0x464c457f and all of them
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 14: shc Generic Shell Script Compiler

  1. Pingback: Week 01 – 2022 – This Week In 4n6

  2. Pingback: YARA Rules Index – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s