{"id":3478,"date":"2018-06-16T18:01:05","date_gmt":"2018-06-16T16:01:05","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=3478"},"modified":"2022-03-25T14:15:05","modified_gmt":"2022-03-25T13:15:05","slug":"yara-rule-creation-crackme","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/","title":{"rendered":"YARA Rule Creation Crackme"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.4.2&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243;]I\u2019ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I&#8217;ll also share 3 new <a href=\"\/yara-rule-feed\/\">premium feed YARA<\/a> rules by pushing them to the Open Source signature-base repo.<\/p>\n<p>What are the the preliminary conditions for the rule creation?<\/p>\n<ul>\n<li>We don&#8217;t want to to spend more than 20 minutes for a single rule.<\/li>\n<li>We use string extraction, hex editors and <a href=\"https:\/\/github.com\/Neo23x0\/yarGen\">yarGen<\/a><\/li>\n<li>We also use public resources like Google (yes), <a href=\"https:\/\/malware.one\/\">malware.one<\/a><\/li>\n<\/ul>\n<p>Requirements:<\/p>\n<ul>\n<li>You need a <a href=\"https:\/\/beta.virusbay.io\/\">Virusbay<\/a> account to download the samples<\/li>\n<\/ul>\n<p>So, get ready. We process the following 3 cases.<\/p>\n<h2>Turla Agent-BTZ<\/h2>\n<ul>\n<li class=\"graf graf--li\">Great for yarGen string extraction<\/li>\n<li class=\"graf graf--li\">Especially check for variations of strings (in PE header) that are highly specific<\/li>\n<li class=\"graf graf--li\">Use google to check strings<\/li>\n<\/ul>\n<p><a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/a352f93e5f63bbf5cd0905c38f054d27\">Sample<\/a><\/p>\n<h2>PLEAD Downloader<\/h2>\n<ul>\n<li class=\"graf graf--li\">yarGen will not produce good results in this case<\/li>\n<li>Try to compare the samples in order to find specific strings that appear in all of them<\/li>\n<\/ul>\n<p><a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/cd1c40dce4a2440e45c5dce33f33f74e\">Sample 1<\/a><\/p>\n<p><a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/78d84dcac923ec0fd4b0f522f9139a79\">Sample 2<\/a><\/p>\n<p><a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/49f63cfca889f754b16c354a3ab0c8f5\">Sample 3<\/a><\/p>\n<p><a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/761ef01cacf2dadc39894bbf2b1497e0\">Sample 4<\/a><\/p>\n<h2>TYPEFRAME (Hidden Cobra)<\/h2>\n<ul>\n<li>Authors missed some specific strings<\/li>\n<\/ul>\n<p><a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/00b0cfb59b088b247c97c8fed383c115\">Sample<\/a><\/p>\n<h2>Solution<\/h2>\n<p>Don&#8217;t check the solution before you&#8217;ve created your own rules.<\/p>\n<p><a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_agent_btz.yar#L71\">Agent.BTZ YARA rule<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_plead_downloader.yar\">PLEAD YARA rule<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_ar18_165a.yar#L59\">TYPEFRAME YARA rule<\/a><\/p>\n<p>Remember, there is no single correct solution to this task. Your rules may be better than mine. If that&#8217;s the case, please share them with me ?.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I\u2019ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I&#8217;ll also share 3 new premium feed YARA rules by pushing them to the Open Source signature-base repo. What are the the preliminary conditions for the rule creation? We don&#8217;t want to to spend more than 20 minutes for a single rule. We use string extraction, hex editors and yarGen We also use public resources like Google (yes), malware.one Requirements: You need a Virusbay account to download the samples So, get ready. We process the following 3 cases. Turla Agent-BTZ Great for yarGen string extraction Especially check for variations of strings (in PE header) that are highly specific Use google to check strings Sample PLEAD Downloader yarGen will not produce good results in this case Try to compare the samples in order to find specific strings that appear in all of them Sample 1 Sample 2 Sample 3 Sample 4 TYPEFRAME (Hidden Cobra) Authors missed some specific strings Sample Solution Don&#8217;t check the solution before you&#8217;ve created your own rules. Agent.BTZ YARA rule PLEAD YARA rule TYPEFRAME YARA rule Remember, there is no single correct solution to this task. Your [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"I\u2019ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I'll also share 3 new <a href=\"http:\/\/nextron.bsk-consulting.de\/yara-rule-feed\/\">premium feed YARA<\/a> rules by pushing them to the Open Source signature-base repo.\r\n\r\nWhat are the the preliminary conditions for the rule creation?\r\n<ul>\r\n \t<li>We don't want to to spend more than 20 minutes for a single rule.<\/li>\r\n \t<li>We use string extraction, hex editors and <a href=\"https:\/\/github.com\/Neo23x0\/yarGen\">yarGen<\/a><\/li>\r\n \t<li>We also use public resources like Google (yes), <a href=\"https:\/\/malware.one\/\">malware.one<\/a><\/li>\r\n<\/ul>\r\nRequirements:\r\n<ul>\r\n \t<li>You need a <a href=\"https:\/\/beta.virusbay.io\/\">Virusbay<\/a> account to download the samples<\/li>\r\n<\/ul>\r\nSo, get ready. We process the following 3 cases.\r\n<h2>Turla Agent-BTZ<\/h2>\r\n<ul>\r\n \t<li class=\"graf graf--li\">Great for yarGen string extraction<\/li>\r\n \t<li class=\"graf graf--li\">Especially check for variations of strings (in PE header) that are highly specific<\/li>\r\n \t<li class=\"graf graf--li\">Use google to check strings<\/li>\r\n<\/ul>\r\n<a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/a352f93e5f63bbf5cd0905c38f054d27\">Sample<\/a>\r\n<h2>PLEAD Downloader<\/h2>\r\n<ul>\r\n \t<li class=\"graf graf--li\">yarGen will not produce good results in this case<\/li>\r\n \t<li>Try to compare the samples in order to find specific strings that appear in all of them<\/li>\r\n<\/ul>\r\n<a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/cd1c40dce4a2440e45c5dce33f33f74e\">Sample 1<\/a>\r\n\r\n<a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/78d84dcac923ec0fd4b0f522f9139a79\">Sample 2<\/a>\r\n\r\n<a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/49f63cfca889f754b16c354a3ab0c8f5\">Sample 3<\/a>\r\n\r\n<a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/761ef01cacf2dadc39894bbf2b1497e0\">Sample 4<\/a>\r\n<h2>TYPEFRAME (Hidden Cobra)<\/h2>\r\n<ul>\r\n \t<li>Authors missed some specific strings<\/li>\r\n<\/ul>\r\n<a href=\"https:\/\/beta.virusbay.io\/sample\/browse\/00b0cfb59b088b247c97c8fed383c115\">Sample<\/a>\r\n<h2>Solution<\/h2>\r\nDon't check the solution before you've created your own rules.\r\n\r\n<a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_agent_btz.yar#L71\">Agent.BTZ YARA rule<\/a>\r\n\r\n<a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_plead_downloader.yar\">PLEAD YARA rule<\/a>\r\n\r\n<a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_ar18_165a.yar#L59\">TYPEFRAME YARA rule<\/a>\r\n\r\nRemember, there is no single correct solution to this task. Your rules may be better than mine. If that's the case, please share them with me ?.","_et_gb_content_width":"","footnotes":""},"categories":[47],"tags":[109,110,62,101,48],"class_list":["post-3478","post","type-post","status-publish","format-standard","hentry","category-yara","tag-crackme","tag-create","tag-rules","tag-signatures","tag-yara"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>YARA Rule Creation Crackme - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"YARA Rule Creation Crackme\",\"datePublished\":\"2018-06-16T16:01:05+00:00\",\"dateModified\":\"2022-03-25T13:15:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/\"},\"wordCount\":291,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"crackme\",\"create\",\"Rules\",\"signatures\",\"YARA\"],\"articleSection\":[\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/\",\"name\":\"YARA Rule Creation Crackme - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2018-06-16T16:01:05+00:00\",\"dateModified\":\"2022-03-25T13:15:05+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"YARA Rule Creation Crackme - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"YARA Rule Creation Crackme","datePublished":"2018-06-16T16:01:05+00:00","dateModified":"2022-03-25T13:15:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/"},"wordCount":291,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["crackme","create","Rules","signatures","YARA"],"articleSection":["YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/","url":"https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/","name":"YARA Rule Creation Crackme - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2018-06-16T16:01:05+00:00","dateModified":"2022-03-25T13:15:05+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2018\/06\/16\/yara-rule-creation-crackme\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=3478"}],"version-history":[{"count":13,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3478\/revisions"}],"predecessor-version":[{"id":7293,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3478\/revisions\/7293"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=3478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=3478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=3478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}