Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA - - PowerPoint PPT Presentation

reversing 2020 yara summit pushing the barriers of unique
SMART_READER_LITE
LIVE PREVIEW

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA - - PowerPoint PPT Presentation

Aug 10, 2023 280 likes •1.3k views

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 1 TLP-GREEN TOM UELTSCHI YARA-SUMMIT 2020 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (13 years!) Focus

slide-1
SLIDE 1

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 1

slide-2
SLIDE 2

TLP-GREEN

TOM UELTSCHI YARA-SUMMIT 2020

slide-3
SLIDE 3

C:> whoami /all

  • Tom Ueltschi
  • Swiss Post CERT / SOC / CSIRT since 2007 (13 years!)
  • Focus & Interests: Malware Analysis, Threat Intel, Threat Hunting,

Red / Purple Teaming

  • Member of many trust groups & infosec communities
  • FIRST SIG member (malware analysis, red teaming, CTI)
  • Twitter: @c_APT_ure

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 3

slide-4
SLIDE 4

Previous Presentations

  • “Ponmocup Hunter” (Botnet malware)
  • SANS DFIR Summit 2013, DeepSec 2013, BotConf 2013, BotConf 2014
  • “Threat Hunting with Sysmon Data” (and Splunk)
  • BotConf 2016, FIRST Con 2017, FIRST TC AMS 2018,

BotConf 2018, CERT-EU Con 2019

  • “DESKTOP-Group” – Tracking a persistent TG using email headers
  • BotConf 2019 (TLP-GREEN – not public)

All public slides linked on my blog:

http://c-apt-ure.blogspot.com/2017/12/is-this-blog-still-alive.html

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 4

slide-5
SLIDE 5

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 5

slide-6
SLIDE 6

Introduction Setting Expectations

  • Malware analysis & «Threat Hunting» based on our own samples
  • Mostly quarantined email attachs (not really much on VT / RL et.al.)
  • YARA skills: beginner to «advanced beginner» J (using since 2014)
  • Reversing skills: not really (disassembler & debugger newby)
  • Using YARA for «whatever works for us»
  • More about how easy it can be to start using YARA for your own purpose
  • Less about 31337 new fancy YARA-fu for uber-experts J
  • Most examples & rules are older rather than recent
  • Usage Goal: malware analysis automation & malware classification

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 6

slide-7
SLIDE 7

Introduction Using YARA – What’s «normal»?

  • Typical features of «most commonly used» YARA Rules
  • High precision
  • Be able to detect maliciousness and distinguish between TP and FP with minimal FN
  • Common file types
  • Executables (PE, ELF, …)
  • Exploits or macros in «carrier files» (RTF, PDF, DOC/XLS etc.)
  • Memory dumps
  • Just in my view, take it as «my opinion» J

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 7

slide-8
SLIDE 8

Shout-out and big thanks to YARA-Exchange Group

Very Lucky and happy to be a member since Aug 2012

  • Malware analysis & «Threat Hunting» based on own samples

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 8

slide-9
SLIDE 9

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 9

slide-10
SLIDE 10

Automate Malware Analysis How far can you go? «We need a bigger sandbox!»

Started using Sandbox in 2013 (>7 years ago)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 10

«Can I get some scripts with that? To go please!»

Started scripting & automating in 2014

slide-11
SLIDE 11

2015: BotConf lightning talk

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 11

slide-12
SLIDE 12

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 12

SIGMA

slide-13
SLIDE 13

2015: BotConf lightning talk

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 13

YARA rules!

slide-14
SLIDE 14

Behavior Rules?

Think SIGMA / SIEM analytics (or some even «IOCs»)

  • Currently 243 «behavior rules»

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 14

slide-15
SLIDE 15

Behavior Rules?

Think SIGMA / SIEM analytics (or some even «IOCs»)

  • Currently 243 «behavior rules»

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 15

slide-16
SLIDE 16

2015: BotConf lightning talk

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 16

Behavior rules!

slide-17
SLIDE 17

2015: BotConf lightning talk

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 17

Behavior rules!

slide-18
SLIDE 18

2015: BotConf lightning talk

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 18

Behavior rules!

slide-19
SLIDE 19

2015: BotConf lightning talk

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 19

Behavior rules!

slide-20
SLIDE 20

Does «size» really matter?

(Semi-)Automating Malware Analysis

  • Number of analyzed malware samples
  • Per month

à 50 to 400 (average ~230)

  • Per year

à ~2’000 to ~3’500

2014 -> 1893 2015 -> 3184 2016 -> 3461 2017 -> 2409 2018 -> 1982 2019 -> 2273 2020 -> 1154 (*)

à «Small numbers», but high value!

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 20

slide-21
SLIDE 21

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 21

slide-22
SLIDE 22

Using YARA on “uncommon” or “unusual” file types

PCAP files (network traffic) from NetWire RAT

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 22

slide-23
SLIDE 23

Using YARA on “uncommon” or “unusual” file types

PCAP files (network traffic) from NetWire RAT

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 23

Maybe my 1st rule!

slide-24
SLIDE 24

Using YARA on “uncommon” or “unusual” file types

PCAP files (network traffic) from DarkComet RAT

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 24

slide-25
SLIDE 25

Using YARA on “uncommon” or “unusual” file types

PCAP files (network traffic) from LuminosityLink RAT

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 25

slide-26
SLIDE 26

Using YARA on “uncommon” or “unusual” file types

43 YARA rules for PCAP files (network traffic)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 26

Ransomware RAT’s Pwd-stealers Keyloggers

slide-27
SLIDE 27

Using YARA on “uncommon” or “unusual” file types

43 YARA rules for PCAP files (network traffic)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 27

slide-28
SLIDE 28

Using YARA on “uncommon” or “unusual” file types

43 YARA rules for PCAP files (network traffic)

  • PCAP YARA rules developed 2014 – 2017
  • Deprecated / superseeded
  • After mid 2017 scanning PCAPs with Suricata and IDS rules
  • ET OPEN, ETPRO and other commercial IDS rules

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 28

slide-29
SLIDE 29

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 29

slide-30
SLIDE 30

Using YARA on “uncommon” or “unusual” file types

Memory strings files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 30

slide-31
SLIDE 31

Using YARA on “uncommon” or “unusual” file types

Memory strings files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 31

slide-32
SLIDE 32

Using YARA on “uncommon” or “unusual” file types

Memory strings files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 32

slide-33
SLIDE 33

Using YARA on “uncommon” or “unusual” file types

Mutexes for DarkComet RAT

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 33

slide-34
SLIDE 34

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 34

slide-35
SLIDE 35

Using YARA on “uncommon” or “unusual” file types Java RATs and JAR files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 35

slide-36
SLIDE 36

Using YARA on “uncommon” or “unusual” file types Java RATs and JAR files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 36

slide-37
SLIDE 37

Using YARA on “uncommon” or “unusual” file types Java RATs and JAR files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 37

slide-38
SLIDE 38

Using YARA on “uncommon” or “unusual” file types Java RATs and JAR files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 38

slide-39
SLIDE 39

Using YARA on “uncommon” or “unusual” file types Java RATs and JAR files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 39

slide-40
SLIDE 40

Using YARA on “uncommon” or “unusual” file types Java RATs and JAR files

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 40

slide-41
SLIDE 41

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 41

slide-42
SLIDE 42

First Hand Knowledge Analyzing mail headers

  • Date
  • From (display-name / email)
  • Subject
  • Attachment(s) – Filename(s) / MD5 hash(es) à Malware Analysis
  • Message-ID

à Malware / RAT Family

  • X-Mailer / User-Agent

à C2 domain / IP / port

  • X-Source-Auth / X-Sender / Authenticated-Sender
  • X-Source-IP / X-Originating-IP
  • Received headers

à Client IP

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 42

slide-43
SLIDE 43

First Hand Knowledge Analyzing mail headers à Excel with >140 attack mails

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 43

slide-44
SLIDE 44

Message-ID / DESKTOP-name / X-Mailer

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 44

slide-45
SLIDE 45

Received header hostname = Message-ID host

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 45

slide-46
SLIDE 46

Received hostname (WIN-xxx ß DESKTOP-xxx)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 46

slide-47
SLIDE 47

Message-ID / (9) Desktop-/ (2) Server-names

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 47

slide-48
SLIDE 48

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on any header

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 48

Message-ID header

slide-49
SLIDE 49

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on any header

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 49

Received headers

slide-50
SLIDE 50

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on any header

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 50

From header X- / Auth.-Sender

slide-51
SLIDE 51

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on body URLs

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 51

URLs in body (base64)

slide-52
SLIDE 52

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on body URLs

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 52

URLs in body (base64)

slide-53
SLIDE 53

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on body URLs

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 53

URLs in body (base64)

slide-54
SLIDE 54

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on body URLs

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 54

URLs in body (base64)

slide-55
SLIDE 55

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on any header

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 55

Blocked only due to custom YARA rule

slide-56
SLIDE 56

Why should I care about mail headers

Use YARA rules on raw RFC2822 mails to block on any header

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 56

Blocked only due to custom YARA rule

slide-57
SLIDE 57

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 57

slide-58
SLIDE 58

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 58

slide-59
SLIDE 59

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 59

slide-60
SLIDE 60

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 60

slide-61
SLIDE 61

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 61

slide-62
SLIDE 62

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 62

slide-63
SLIDE 63

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 63

slide-64
SLIDE 64

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 64

slide-65
SLIDE 65

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 65

slide-66
SLIDE 66

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 66

slide-67
SLIDE 67

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 67

slide-68
SLIDE 68

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 68

slide-69
SLIDE 69

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 69

slide-70
SLIDE 70

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 70

slide-71
SLIDE 71

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 71

slide-72
SLIDE 72

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 72

slide-73
SLIDE 73

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 73

slide-74
SLIDE 74

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 74

slide-75
SLIDE 75

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 75

slide-76
SLIDE 76

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 76

7 x EXCEL.EXE 7 x PS cmd (1)

slide-77
SLIDE 77

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 77

1 x PS cmd (2)

slide-78
SLIDE 78

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 78

slide-79
SLIDE 79

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 79

slide-80
SLIDE 80

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 80

slide-81
SLIDE 81

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 81

Pow-er-sh-ell

slide-82
SLIDE 82

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 82

slide-83
SLIDE 83

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 83

slide-84
SLIDE 84

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 84

slide-85
SLIDE 85

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 85

slide-86
SLIDE 86

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 86

slide-87
SLIDE 87

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 87

slide-88
SLIDE 88

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 88

slide-89
SLIDE 89

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 89

slide-90
SLIDE 90

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 90

Office files Last saved / author

slide-91
SLIDE 91

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS (Hunting @ home)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 91

slide-92
SLIDE 92

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS (Hunting @ home)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 92

slide-93
SLIDE 93

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: RTF + XLS (Hunting @ home)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 93

slide-94
SLIDE 94

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR || RTF + XLS (Hunting @ VT)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 94

slide-95
SLIDE 95

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR || RTF + XLS (Hunting @ VT)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 95

slide-96
SLIDE 96

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR || RTF + XLS (Hunting @ VT)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 96

slide-97
SLIDE 97

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR || RTF + XLS (Hunting @ RL)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 97

slide-98
SLIDE 98

“DESKTOP-group” -- Spear Phishing emails & mail headers Weird file formats: MSI + JAR || RTF + XLS (Hunting @ RL)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 98

slide-99
SLIDE 99

Outline

  • Introduction
  • Automate malware analysis (how far can you go?)
  • Using YARA on “uncommon” or “unusual” file types
  • PCAP files
  • memory-strings & mutexes
  • JAR’s (Java RAT’s)
  • “DESKTOP-group” -- Spear Phishing emails & mail headers
  • YARA for email headers and body
  • Weird file formats: MSI + JAR || RTF + XLS (Hunting @ home / VT / RL)

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 99

slide-100
SLIDE 100

Thanks for your attention!!

Time left for questions?

  • Twitter: @c_APT_ure
  • Blog: http://c-apt-ure.blogspot.com/

à all my presentations linked in one place

Reversing 2020 - YARA Summit | Pushing the Barriers of Unique YARA Uses | Tom Ueltschi | TLP-GREEN 100

slide-101
SLIDE 101

101