yara的安装与使用

yara可以说是正则匹配的工具吧，一般用于病毒的静态检测

下载

这里直接下载windows的

https://github.com/VirusTotal/yara/releases

也可以从这下

https://www.dropbox.com/sh/umip8ndplytwzj1/AADdLRsrpJL1CM1vPVAxc5JZa?dl=0&lst=

Ubuntu 懒得编译可以直接apt安装

sudo apt install yara

用官方最简单的示例测试是否可用

// 最简单的规则
echo "rule dummy { condition: true }" > my_first_rule
// 用规则测试规则
yara my_first_rule my_first_rule

获取yara规则

有开源的：https://github.com/Yara-Rules/rules

规则分11大类：

1. Antidebug_AntiVM：反调试/反沙箱类yara规则
2. Crypto：加密类yara规则
3. CVE_Rules：CVE漏洞利用类yara规则
4. email：恶意邮件类yara规则
5. Exploit-Kits：EK类yara规则
6. Malicious_Documents：恶意文档类yara规则
7. malware：恶意软件类yara规则
8. Mobile_Malware：移动恶意软件类yara规则
9. Packers：加壳类yara规则
10. utils：通用类yara规则
11. Webshells：Webshell类yara规则

获取样本测试

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries

我们随便下载一个，比如WannaCry的

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry

我们看看他用了什么加密算法，可以看到使用了CRC32，以及AES算法

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Crypto_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Crypto/crypto_signatures.yar(12): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(24): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(36): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(48): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(60): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(72): warning: $c0 is slowing down scanning (critical!)
../rules/./Crypto/crypto_signatures.yar(93): warning: $c0 is slowing down scanning
../rules/./Crypto/crypto_signatures.yar(776): warning: $c0 is slowing down scanning
CRC32_poly_Constant ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
CRC32_table ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_CHAR ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
RijnDael_AES_LONG ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

看看属于哪类恶意样本，判断还是比较准确

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/malware_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./malware/APT_DPRK_ROKRAT.yar(47): warning: $b2 is slowing down scanning
../rules/./malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
    Str_Win32_Winsock2_Library ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaDecryptor ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
ransom_telefonica ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Wanna_Cry_Ransomware_Generic ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
WannaCry_Ransomware_Dropper ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
wannacry_static_ransom ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

看看加了什么壳

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Packers_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
../rules/./Packers/Javascript_exploit_and_obfuscation.yar(26): warning: $fff is slowing down scanning (critical!)
../rules/./Packers/peid.yar(672): warning: $a is slowing down scanning (critical!)
../rules/./Packers/peid.yar(900): warning: $a is slowing down scanning
。。。。。。。。
。。。。。。。。
。。。。。。。。
../rules/./Packers/peid.yar(68942): warning: $a is slowing down scanning
../rules/./Packers/peid.yar(68951): warning: $a is slowing down scanning
IsPE32 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsWindowsGUI ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
IsPacked ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
HasRichSignature ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v60 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC_additional ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_50 ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp_v50v60_MFC ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Microsoft_Visual_Cpp ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

有没有反调试反虚拟机

giantbranch@ubuntu:~/yara/Ransomware.WannaCry$ yara ../rules/Antidebug_AntiVM_index.yar ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
SEH_Init ./ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

简单总结

通过yara，还有一些开源的规则，我们可以简单快速地静态分析恶意软件

reference

https://yara.readthedocs.io/en/v3.7.0/gettingstarted.html
https://blog.csdn.net/m0_37552052/article/details/79012453