YaraGenerator Information

This is a project to build a tool to attempt to allow for quick, simple, and effective yara rule creation to isolate malware families and other malicious objects of interest. This is an experiment and thus far I've had pretty good success with it. It is a work in progress and I welcome forks and feedback!

To utilize this you must find a few files from a malware family, or if not executables then containing the attribute of interest, you wish to profile, (the more the better, three to four samples seems to be effective for malware, however to isolate exploits in carrier documents it often takes many more). Please note however that this tool will only be as precise as you are in choosing what you are looking for...


Usage and Example

Using the online version of YaraGenerator is as simple as selecting the files you wish to have analyzed, and entering Author, Rulename, Description and Tag information into the Generator page. Your signature will automatically be created and displayed for you.

At YaraGenerator.com you will also be able to view and download all of your previously generated signatures after logging in with your username and password. No samples are retained on this site after initial analysis.Your signatures are also secure from download by anyone who is not logged into this site, specifically as you.

Instructions for use of the portable command line interface YaraGenerator script are available in the readme file at the GitHub repository.

Resulting Yara Signature:
rule Win_Trojan_APT_APT1_Greencat : APT
{
meta:
  author = "Chris Clark"
  date = "2013-06-04"
  description = "APT Trojan Comment Crew Greencat"
  hash0 = "57e79f7df13c0cb01910d0c688fcd296"
  hash1 = "871cc547feb9dbec0285321068e392b8"
  hash2 = "6570163cd34454b3d1476c134d44b9d9"
  yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
  $string0 = "Ramdisk"
  $string1 = "Cache-Control:max-age"
  $string2 = "YYSSSSS"
  $string3 = "\\cmd.exe"
  $string4 = "Translation" wide
  $string5 = "CD-ROM"
  $string6 = "Mozilla/5.0"
  $string7 = "Volume on this computer:"
  $string8 = "pidrun"
  $string9 = "3@YAXPAX@Z"
  $string10 = "SMAgent.exe" wide
  $string11 = "Shell started successfully"
  $string12 = "Content-Length: %d"
  $string13 = "t4j SV3"
  $string14 = "Program started"
  $string15 = "Started already,"
  $string16 = "SoundMAX service agent" wide
condition:
  16 of them
}

Results

100% Hits on Test Samples:

$ yara -rg Trojan_Win_GreenCat.yar greencat/
Trojan_Win_GreenCat [APT] ../greencat//8bf5a9e8d5bc1f44133c3f118fe8ca1701d9665a72b3893f509367905feb0a00
Trojan_Win_GreenCat [APT] ../greencat//c196cac319e5c55e8169b6ed6930a10359b3db322abe8f00ed8cb83cf0888d3b
Trojan_Win_GreenCat [APT] ../greencat//c23039cf2f859e659e59ec362277321fbcdac680e6d9bc93fc03c8971333c25e

100% True Positives On Other Samples In the APT1 Cadre which were detected as Green Cat By Other Yara Rules:

$ yara -r Trojan_Win_GreenCat.yar .Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//1877a5d2f9c415109a8ac323f43be1dc10c546a72ab7207a96c6e6e71a132956
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//20ed6218575155517f19d4ce46a9addbf49dcadb8f5d7bd93efdccfe1925c7d0
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//4144820d9b31c4d3c54025a4368b32f727077c3ec253753360349a783846747f
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//4487b345f63d20c6b91eec8ee86c307911b1f2c3e29f337aa96a4a238bf2e87c
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//8bf5a9e8d5bc1f44133c3f118fe8ca1701d9665a72b3893f509367905feb0a00
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//c196cac319e5c55e8169b6ed6930a10359b3db322abe8f00ed8cb83cf0888d3b
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//c23039cf2f859e659e59ec362277321fbcdac680e6d9bc93fc03c8971333c25e
Win_Trojan_APT1_GreenCat [APT] ../../MalwareSamples/APT1Malware//f76dd93b10fc173eaf901ff1fb00ff8a9e1f31e3bd86e00ff773b244b54292c5

100% True Negatives on clean files:

$ yara -r Trojan_Win_GreenCat.yar ../../CleanFiles/