YARA and CyberChef, (Mon, Mar 8th)

This post was originally published on this site

If you prefer a graphical user interface to match YARA rules, you can try CyberChef.

YARA is a pattern matching tool, known as "The pattern matching swiss knife".

CyberChef is a web app for all kinds of (file) analysis techniques, known as "The Cyber Swiss Army Knife".

And what do you get when you combine 2 Swiss Knifes? One really big Swiss Knife πŸ™‚

CyberChef supports YARA rules.

Here I added one YARA rule to detect Office files with VBA macros. More precisely: ole files that contain the premise of a compressed, default VBA source code header.

YARA rules that match the input (a Word document, .doc,  with VBA code in this example) are listed in the output.

Since CyberChef also has an unzip function, you can apply YARA rules on the files contained in a ZIP file (something the YARA tool itself can not do):

If you want to copy the recipes, they are below.

Just YARA:

https://gchq.github.io/CyberChef/#recipe=YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

UNZIP + YARA:

https://gchq.github.io/CyberChef/#recipe=Unzip('',false)YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

And know I need to close my tabs and let the browser update itself πŸ™‚ .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.