Skip to main content

YARA and Spectra Core

YARA is a tool that allows rule-based identification of files. Files trigger a match when they contain a string or binary pattern defined by the YARA rule.

In the context of Spectra Analyze and Spectra Detect, YARA matching is implemented as part of the Spectra Core static analysis engine. That means that string or binary pattern matching is supported only for files, and not for running process memory.

To classify files using the SpectraCore engine, use YARA tags and custom metadata.

rule ExampleRule : tc_detection malicious // Tags must be present
{
meta:
tc_detection_type = "Ransomware" // Has to be a valid RL malware type
tc_detection_name = "Oof" // Can be an arbitrary malware family name
tc_detection_factor = 5 // 0-5, where 5 is most dangerous
strings:
$1 = "example"
$2 = { DE AD BE EF }
condition:
$1 or $2
}

To classify files as malicious using YARA tags, add the tc_detection and malicious tags as indicated in the code sample above. Likewise, to classify them as suspicious, use the suspicious tag. All files that match the rule will receive the classification corresponding to the tag.

In the meta section, there are several TC-specific keywords that you can include to get a specific malware type or risk score in the final report:

  • tc_detection_type
    • Specifies the type of a matched sample. This must be one of the following strings:
      • Adware
      • Backdoor
      • Browser
      • Dialer
      • Downloader
      • Dropper
      • Exploit
      • Hacktool
      • Infostealer
      • Keylogger
      • Mail
      • Malware
      • Network
      • Packed
      • PUA
      • Ransomware
      • Rogue
      • Rootkit
      • Spyware
      • Trojan
      • Virus
      • Worm
  • tc_detection_name
    • An arbitrary malware family name. This will be displayed as the last part of the reported threat name.
  • tc_detection_factor
    • Severity of sample maliciousness, expressed as an integer from 0 (least dangerous) to 5 (most dangerous).The detection factor maps to the risk score like so:

      tc_detection_factorrisk score
      05
      16
      27
      38
      49
      510
info

If the meta section contains non-supported values for tc_detection_type and tc_detection_factor (see above), or does not specify the values at all, the type will be Malware and the family YARA, with a risk score of 10.

馃崓 As an example, a text file containing the string "pineapple" with a YARA rule that matches such files (see below), but with no additional detail in the meta section will be classified as Text.Malware.YARA (with a risk score of 10).

rule PineappleDetector : tc_detection malicious
{
strings:
$1 = "pineapple"
condition:
$1
}