YARA and Spectra Core
YARA is a tool that allows rule-based identification of files. Files trigger a match when they contain a string or binary pattern defined by the YARA rule.
In the context of Spectra Analyze and Spectra Detect, YARA matching is implemented as part of the Spectra Core static analysis engine. That means that string or binary pattern matching is supported only for files, and not for running process memory.
To classify files using the SpectraCore engine, use YARA tags and custom metadata.
rule ExampleRule : tc_detection malicious // Tags must be present
{
meta:
tc_detection_type = "Ransomware" // Has to be a valid RL malware type
tc_detection_name = "Oof" // Can be an arbitrary malware family name
tc_detection_factor = 5 // 0-5, where 5 is most dangerous
strings:
$1 = "example"
$2 = { DE AD BE EF }
condition:
$1 or $2
}
To classify files as malicious using YARA tags, add the tc_detection
and malicious
tags as indicated in the code sample above. Likewise, to classify them as suspicious, use the suspicious
tag. All files that match the rule will receive the classification corresponding to the tag.
In the meta
section, there are several TC-specific keywords that you can include to get a specific malware type or risk score in the final report:
tc_detection_type
- Specifies the type of a matched sample. This must be one of the following strings:
- Adware
- Backdoor
- Browser
- Dialer
- Downloader
- Dropper
- Exploit
- Hacktool
- Infostealer
- Keylogger
- Malware
- Network
- Packed
- PUA
- Ransomware
- Rogue
- Rootkit
- Spyware
- Trojan
- Virus
- Worm
- Specifies the type of a matched sample. This must be one of the following strings:
tc_detection_name
- An arbitrary malware family name. This will be displayed as the last part of the reported threat name.
tc_detection_factor
-
Severity of sample maliciousness, expressed as an integer from 0 (least dangerous) to 5 (most dangerous).The detection factor maps to the risk score like so:
tc_detection_factor
risk score 0 5 1 6 2 7 3 8 4 9 5 10
-
If the meta
section contains non-supported values for tc_detection_type
and tc_detection_factor
(see above), or does not specify the values at all, the type will be Malware and the family YARA, with a risk score of 10.
馃崓 As an example, a text file containing the string "pineapple" with a YARA rule that matches such files (see below), but with no additional detail in the meta
section will be classified as Text.Malware.YARA (with a risk score of 10).
rule PineappleDetector : tc_detection malicious
{
strings:
$1 = "pineapple"
condition:
$1
}