YARA Hunting
Classifying files with YARA rules
YARA is a tool that allows rule-based identification of files. Files trigger a match when they contain a string or binary pattern defined by the YARA rule.
In the context of Spectra Analyze and Spectra Detect, YARA matching is implemented as part of the Spectra Core static analysis engine. That means that string or binary pattern matching is supported only for files, and not for running process memory.
To classify files using the SpectraCore engine, use YARA tags and custom metadata.
rule ExampleRule : tc_detection malicious // Tags must be present
{
meta:
tc_detection_type = "Ransomware" // Has to be a valid RL malware type
tc_detection_name = "Oof" // Can be an arbitrary malware family name
tc_detection_factor = 5 // 0-5, where 5 is most dangerous
strings:
$1 = "example"
$2 = { DE AD BE EF }
condition:
$1 or $2
}
To classify files as malicious using YARA tags, add the tc_detection
and malicious
tags as indicated in the code sample above. Likewise, to classify them as suspicious, use the suspicious
tag. All files that match the rule will receive the classification corresponding to the tag.
In the meta
section, there are several TC-specific keywords that you can include to get a specific malware type or risk score in the final report:
tc_detection_type
- Specifies the type of a matched sample. This must be one of the following strings:
- Adware
- Backdoor
- Browser
- Dialer
- Downloader
- Dropper
- Exploit
- Hacktool
- Infostealer
- Keylogger
- Malware
- Network
- Packed
- PUA
- Ransomware
- Rogue
- Rootkit
- Spyware
- Trojan
- Virus
- Worm
- Specifies the type of a matched sample. This must be one of the following strings:
tc_detection_name
- An arbitrary malware family name. This will be displayed as the last part of the reported threat name.
tc_detection_factor
-
Severity of sample maliciousness, expressed as an integer from 0 (least dangerous) to 5 (most dangerous).The detection factor maps to the risk score like so:
tc_detection_factor
risk score 0 5 1 6 2 7 3 8 4 9 5 10
-
If the meta
section contains non-supported values for tc_detection_type
and tc_detection_factor
(see above), or does not specify the values at all, the type will be Malware and the family YARA, with a risk score of 10.
🍍 As an example, a text file containing the string "pineapple" with a YARA rule that matches such files (see below), but with no additional detail in the meta
section will be classified as Text.Malware.YARA (with a risk score of 10).
rule PineappleDetector : tc_detection malicious
{
strings:
$1 = "pineapple"
condition:
$1
}
If a file has been classified by a YARA rule, the Static Analysis > Classification section on the Sample Details page includes links to YARA rules that the file has matched. Clicking the link to a ruleset redirects to the yara page containing the selected ruleset and its matches.
To find files tagged by YARA rules on the appliance or in the Spectra Intelligence cloud, use the tag-yara keyword on the Search page. For example, the search query tag-yara:malicious threatname:*ransomware*
returns all files classified as malicious by YARA rules, with “ransomware” in their detected threat name.
All files that match the YARA rule are automatically tagged with those custom tags after analysis. If a file has any YARA tags, they can be found in the Static Analysis > Classification > YARA > Tags section on the Sample Details page.
Changes to YARA tags are not immediately reflected in the Search results. When a YARA tag is added, changed, or removed from a rule, the files that match the rule must be reanalyzed with Spectra Core first. Alternatively, you can also run a local retro scan.
For example, if a YARA tag “test” is renamed to “test2”, searching for tag-yara:test returns the same results until all matching files are reanalyzed with Spectra Core. After they are reanalyzed, the files can be found with the new tag, tag-yara:test2, and the old tag will not return any results.
How YARA Hunting Works on Spectra Analyze
Spectra Analyze contains default YARA rulesets, but also allows users to create and edit custom rulesets, as well as to synchronize rulesets with other ReversingLabs products.
The default YARA rulesets are called Spectra Core rulesets. They can be accessed by selecting the “Spectra Core Rulesets” option in the filter pull-down menu on the YARA Hunting page. Those rulesets are applied only to local files on the appliance (through Continuous Local Matching). Spectra Core rulesets cannot be saved to the cloud or modified (edited, disabled, or deleted) in any way by any type of user.
Rulesets present on Spectra Analyze by default are open source, and published by ReversingLabs in a public GitHub repository. Additional rulesets can be imported as files, or from online sources, straight from the YARA page. For more information on importing rulesets, refer to the YARA Repository Management chapter.
Files are matched against YARA rulesets on the Spectra Analyze appliance in four different ways.
-
Continuous Local Matching (Default)
When a YARA ruleset is created on or uploaded to Spectra Analyze, it continuously looks for matches among local files that are added to the Spectra Analyze appliance after the ruleset has been created. This is the default behavior when Spectra Intelligence is not configured on the appliance, and when a YARA ruleset is not saved to Spectra Intelligence.
Local matches for rulesets cannot be removed from the list of matches on the YARA page.
-
Continuous Cloud Matching
When a new or existing YARA ruleset is selected to run continuously in the Spectra Intelligence cloud, it looks for matches among files that are added after the ruleset has been created. This includes local files added to the Spectra Analyze appliance, and files in the cloud uploaded through various ReversingLabs services (such as APIs).
The prerequisite for Continuous Cloud Matching is that the Spectra Analyze appliance is connected to Spectra Intelligence.
Important Note
Every Spectra Analyze instance must be connected to a different Spectra Intelligence account. Sharing accounts between multiple instances can interfere with the functionality of the appliance (particularly with YARA rule synchronization). Appliance administrators should ensure that the cloud account credentials are properly configured in the Administration ‣ Configuration ‣ Spectra Intelligence dialog.
YARA rulesets that are saved to Spectra Intelligence can match up to 10 000 samples. When a ruleset reaches that many matches, it will be capped and new matches will no longer be stored on the Spectra Analyze appliance. To free up space and continue collecting new matches for the ruleset, users have to remove at least 1000 old matches.
Find more information in the Hunting for Malware in the Spectra Intelligence cloud with YARA section.
-
Retroactive Cloud Matching
When a new or existing YARA ruleset is selected to run continuously in the Spectra Intelligence cloud, and the YARA Retroactive Hunting feature is enabled on the appliance, the ruleset can be selectively matched against files in the cloud that have been analyzed in the past 90 days.
The ruleset will continuously look for new matches among local files that are added to the Spectra Analyze appliance while a Cloud Retro scan is in progress.
Find more information in the Cloud Retro Hunting section.
-
Retroactive Local Matching
When the YARA Retroactive Hunting feature is started, all rulesets that are active (enabled) on the appliance will be included in a Local Retro scan. This also includes the default Spectra Core rulesets. While a Local Retro scan is in progress, the appliance still continues to analyze new files that are added to the appliance. The processing priority is given to newly added files to prevent delays.
The Local Retro scan runs against all local files regardless of their age and analysis date. If users want to prevent the Local Retro scan for one or more rulesets, those rulesets have to be disabled on the appliance.
Local Retro matches for rulesets cannot be removed from the list of matches on the YARA page.
Find more information in the Local Retro Hunting section.
Understanding the YARA Page
Clicking the Yara item in the top-level menu brings the user to the YARA Hunting page, which displays a list of rulesets (collections of YARA rules) and matching statistics.
Filters
The search bar allows users to filter the list of rulesets by typing the full or partial name of a ruleset. Enclose the search string in quotation marks for exact name matching.
Next to the search bar, several menus allow filtering according to ruleset ownership, status and source (for imported rulesets).
Some notes on the possible choices:
- Under the ownership menu, "User Rulesets" will show all rulesets from all users except the current user ("My Rulesets")
- Under the status menu, you can find rulesets with warnings (for example, with a syntax error), as well as rulesets that were capped in Spectra Intelligence
Filters are reflected in the URL (as query parameters), which means that you can share a filtered page. For example:
?name=yippee-ki-yay&owner=owner_user_jmcclane&status=enabled
...will present a page where the ruleset names contain "yippee-ki-yay", where their owner is user jmcclane
(note the "owner_user_" prefix), and where such rulesets are enabled.
Actions
The indicators and buttons in the top right of the page display the actions and status information related to YARA Retroactive Hunting.
- The Add Ruleset button provides the options to create, import or upload rulesets.
- The Actions button allows starting a Local Retro Scan on all active rulesets on the appliance, and contains links to the list of previous retro hunts and YARA repository management. The retro hunt list is also accessible via the Open Retro Hunt List button.
- The gear icon menu allows the users to customize the YARA table columns and date format.
- The synchronization status indicator is visible only if Spectra Intelligence is correctly configured on the appliance, and if at least one YARA ruleset on the appliance is saved in the Spectra Intelligence cloud. Hovering over the indicator with the mouse activates a “Skip To” link that can be used to postpone ruleset synchronization.
Results
If a ruleset is greyed out on the page, it is disabled. Disabled rulesets are not active on the appliance and are not included in any of the Local, Cloud, or Retro scans.
Clicking the star icon next to the ruleset adds it to favorites for the current user. Favorite rulesets are listed in the YARA Matches section on the Dashboard. Up to 10 rulesets can be added to favorites.
Every ruleset has one or more status indicators. Hovering over the indicator icon displays a tooltip with more information about every status.
The far right action menu (☰) for each ruleset contains options for testing, editing, exporting, disabling, and deleting the ruleset, and options to subscribe (create Alerts for new YARA matches) or unsubscribe from a ruleset.
Spectra Core rulesets can only be edited and exported, but not disabled or deleted. Selecting the Edit option for a Spectra Core ruleset opens the ruleset editor where the user can preview and copy the contents of the ruleset, but cannot save any changes to it.
Creating New YARA Rulesets
YARA rulesets on the Spectra Analyze appliance can be created from scratch, uploaded as files, or imported from a number of popular online sources. There is also a YARA API.
ReversingLabs products, including Spectra Analyze, support the following YARA modules:
- PE
- ELF
- Dex
- Macho
- String
- Math
- Hash
- Time
- Dotnet