dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
When writing rules for the Windows and Linux BlackCat variants I found two different versions of the ransom note; this rule attempts to match both.
rule MAL_BlackCat_ransomnote {
meta:
description = "Matches strings found in two versions of ransom notes dropped by BlackCat (ALPHV)."
last_modified = "2024-01-16"
author = "@petermstewart"
DaysofYara = "16/100"
strings:
$heading1a = ">> What happened?"
$heading1b = ">> Introduction"
$heading2 = ">> Sensitive Data"
$heading3 = ">> CAUTION"
$heading4a = ">> What should I do next?"
$heading4b = ">> Recovery procedure"
$a1 = "In order to recover your files you need to follow instructions below."
$a2 = "clients data, bills, budgets, annual reports, bank statements"
$a3 = "1) Download and install Tor Browser from: https://torproject.org/"
$a4 = "2) Navigate to: http://"
condition:
filesize < 5KB and
($heading1a and $heading4a) or ($heading1b and $heading4b) and
$heading2 and $heading3 and
all of ($a*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
ALPHV (ALPHA SPIDER) also used a Linux version of their ransomware; today’s rule uses common strings to find samples of it.
rule MAL_BlackCat_Lin_strings {
meta:
description = "Matches strings found in BlackCat ransomware Linux samples operated by ALPHV."
last_modified = "2024-01-15"
author = "@petermstewart"
DaysofYara = "15/100"
sha256 = "3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1"
sha256 = "f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6"
strings:
$a1 = "encrypt_app::linux"
$a2 = "src/bin/encrypt_app/linux.rs"
$a3 = "locker::core::os::linux::command"
$b1 = "note_file_name"
$b2 = "note_full_text"
$b3 = "note_short_text"
$b4 = "default_file_cipher"
$b5 = "default_file_mode"
$b6 = "enable_esxi_vm_kill"
$b7 = "enable_esxi_vm_snapshot_kill"
condition:
filesize > 1MB and filesize < 3MB and
uint32(0) == 0x464c457f and
2 of ($a*) and
5 of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
The BlackCat ransomware-as-a-service was operated by ALPHV (ALPHA SPIDER) until a slightly messy disruption operation in December 2023. Today’s rule looks for strings commonly found in BlackCat Windows executables:
rule MAL_BlackCat_Win_strings {
meta:
description = "Matches strings found in BlackCat ransomware Windows samples operated by ALPHV."
last_modified = "2024-01-14"
author = "@petermstewart"
DaysofYara = "14/100"
sha256 = "2587001d6599f0ec03534ea823aab0febb75e83f657fadc3a662338cc08646b0"
sha256 = "c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40"
strings:
$a = "bcdedit /set {default}bcdedit /set {default} recoveryenabled"
$b = "vssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss="
$c = "wmic.exe Shadowcopy Deleteshadow_copy::remove_all_wmic="
$d = "deploy_note_and_image_for_all_users="
$e = "Control Panel\\DesktopWallpaperStyleWallPaperC:\\\\Desktop\\.png"
$f = "Speed: Mb/s, Data: Mb/Mb, Files processed: /, Files scanned:"
condition:
filesize > 2MB and filesize < 4MB and
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 