Spectra Detect YARA Hunting — Custom Rules, Modules, and Worker Sync

Classifying Files with YARA Rules

YARA is a tool that allows rule-based identification of files. Files trigger a match when they contain a string or binary pattern defined by the YARA rule.

In the context of Spectra Analyze and Spectra Detect, YARA matching is implemented as part of the Spectra Core static analysis engine. That means that string or binary pattern matching is supported only for files, and not for running process memory.

To classify files using the SpectraCore engine, use YARA tags and custom metadata.

rule ExampleRule : tc_detection malicious // Tags must be present
{
    meta:
        tc_detection_type = "Ransomware" // Has to be a valid RL malware type
        tc_detection_name = "Oof" // Can be an arbitrary malware family name
        tc_detection_factor = 5 // 0-5, where 5 is most dangerous
    strings:
        $1 = "example"
        $2 = { DE AD BE EF }
    condition:
        $1 or $2
}

To classify files as malicious using YARA tags, add the tc_detection and malicious tags as indicated in the code sample above. Likewise, to classify them as suspicious, use the suspicious tag. All files that match the rule will receive the classification corresponding to the tag.

In the meta section, there are several TC-specific keywords that you can include to get a specific malware type or risk score in the final report:

• tc_detection_type
  • Specifies the type of a matched sample. This must be one of the following strings:
    • Adware
    • Backdoor
    • Browser
    • Dialer
    • Downloader
    • Dropper
    • Exploit
    • Hacktool
    • Infostealer
    • Keylogger
    • Mail
    • Malware
    • Network
    • Packed
    • PUA
    • Ransomware
    • Rogue
    • Rootkit
    • Spyware
    • Trojan
    • Virus
    • Worm
• tc_detection_name
  • An arbitrary malware family name. This will be displayed as the last part of the reported threat name.
• tc_detection_factor

  • Severity of sample maliciousness, expressed as an integer from 0 (least dangerous) to 5 (most dangerous).The detection factor maps to the risk score like so:

    tc_detection_factor	risk score
    0	5
    1	6
    2	7
    3	8
    4	9
    5	10

important

If the meta section contains values not supported by the ReversingLabs malware naming standard for tc_detection_type, tc_detection_name, or tc_detection_factor, or does not specify the values at all, the type will be Malware and the family YARA, with a risk score of 10. For example, tc_detection_name doesn't support any special characters apart from -, which should be used only when the name is a CVE or CAN name (e.g. CVE-2012-0158).

🍍 As an example, a text file containing the string "pineapple" with a YARA rule that matches such files (see below), but with no additional detail in the meta section will be classified as Text.Malware.YARA (with a risk score of 10).

rule PineappleDetector : tc_detection malicious
{
    strings:
       $1 = "pineapple"
    condition:
       $1
}

Using YARA with Spectra Detect Worker

Default YARA rulesets on the appliance are automatically installed with the Spectra Core static analysis engine. With every engine update, these rulesets are updated as well. The rulesets cannot be saved to the Spectra Intelligence cloud or modified (edited, disabled, or deleted) in any way by any type of user.

Additionally, ReversingLabs publishes open source YARA rules in a public GitHub repository. These rules can be freely downloaded and imported into any Worker.

In addition to default YARA rulesets, the Worker can use custom rulesets created by users. This is available by pulling rulesets from other Spectra Analyze and Worker appliances using the YARA Sync feature on Spectra Detect Manager.

Rulesets and restrictions

ReversingLabs products support the following YARA modules:

• PE
• ELF
• Math
• Hash
• Time
• Dotnet

note

"Import" and "include" statements are not supported.

Save custom YARA rulesets as files with the .yara extension.

Naming restrictions:

• YARA ruleset names must be between 3 and 48 characters.
• The underscore ( _ ) should be used instead of spaces, and any other special characters should be avoided. Ruleset names should only use numbers (0-9) and a-z/A-Z letters.

tip

For more information on writing YARA rulesets, consult one of the following sources:

• ReversingLabs publishes guidance for using YARA on the official blog. See the blog posts "Level up your YARA game" , "Writing detailed YARA rules for malware detection" and "Five Uses of YARA" to learn more.
• The official YARA documentation offers detailed advice on how to write YARA rules.
• Use Spectra Core rulesets present on the Spectra Analyze appliance as reference.

Troubleshooting YARA Issues on the Worker

1. From the Worker appliance status page on the Manager, disconnect the Worker by clicking the Remove button.
2. Access the dashboard page and click the Add new appliance button.
3. In the Add new appliance dialog that opens, select Spectra Detect Worker as the appliance type, and fill in the configuration fields with the data of the previously disconnected Worker instance.
4. Click Submit to connect the Worker instance to the Manager again.

If the process completes successfully, the YARA Sync page on the Manager should display the status of the Worker instance.