100 Days of YARA is a self-enforced challenge to learn YARA for the first time, or learn new techniques for creating rules, or submit rules for cool malware you’ve observed!


Day 💯 of #100DaysofYARA

I wrote my first YARA rule on 2022-01-02 during the first #100DaysofYARA (after sourcing malware on day one) and it was pretty fun. Initially, I focused on common cryptographic algorithms that I missed from the Flare-On 8 CTF challenges. If I could recognize these in YARA signatures I could save myself time in reverse engineering. Heading into this year of the challenge my goals were pretty reasonable:

  • Go further than I did last year (18 days)
  • Focus on more malicious code analysis
  • More deeply understand what I was doing and validate findings

What is YARA

YARA is a pattern matching rule language used across the security industry for a variety of use cases since it was built in 2008. Today it’s used to help with efforts across the spectrum of defensive security operations: - Antivirus/Incident Response: find malicious items across files or process memory - Reverse Engineer: Identify common code, constants, or strings to classify malware families - Threat Intelligence: hunt for previously seen or emerging threats

A sample rule:

rule shellcromancer_was_here
    description = "A rule to find myself on the internet."
    author = "@shellcromancer"
    version = "1.0"
    date = "2023.04.10"
    DaysofYARA = "100/100"

	$str = "shellcromancer" xor
  $hex = { 40 ?? 73 68 65 6C 6C [0-4] 63 72 6F 6D 61 6E 63 65 72 }

    any of them

Part of the reason it’s successful today is due to the great community around writing rules, and that once you codify analysis in a YARA rule it can be tested by others (locally, in VirusTotal, YARAify, UnpacMe, or many of the other services that support it) and stored historically with labeling.

The last 100 days

For those following along you’ll notice that somewhere along day 7 I decided to look at macOS specific items and stuck on that for almost the rest of the challenge. Most people I care about use macOS machines, and most services I care about run on Linux servers so I stay away from Windows as much as I can… and it turns out I can! 🫡 There’s a ton of threat actors abusing macOS and Linux with folks just needing to spend more time looking. Plus resources like Objective-See have a macOS focused malware collection where you can get started.

$ git log --author 'shellcromancer' --pretty=format:"%h%x09%ad%x09%s" --date=short --reverse
8d08cfd	2023-01-02	shellcromancer/elf_golf.yar days 1 & 2
9896dd8	2023-01-03	add shellcromancer day 3
a086160	2023-01-04	add lang_zig.yar
fce1c65	2023-01-05	add tool_network_free_code.yar
4d62367	2023-01-06	add money.yar
9cb18f9	2023-01-07	fix: update rule metadata
208e4da	2023-01-07	add file_dmg.yar
fb40b19	2023-01-08	add dmg.hexpat
c30fa42	2023-01-09	add XAR related files
60786af	2023-01-10	add file_dmg_condition_only
ec93772	2023-01-11	add go_lang_garble
f40e187	2023-01-12	add file_plist.yar
1f522bd	2023-01-13	add file_scpt.yar
6068a09	2023-01-14	add lang_swift.yar
a980800	2023-01-15	macho_discovery.yar
225abdf	2023-01-16	add file_scpt_jxa.yar
3a227a8	2023-01-17	add file_wasm.yar
c4ab3c4	2023-01-18	add wasm_miner.yar
668ae30	2023-01-19	add susp_macos_browsers
4d9167b	2023-01-20	add file_one and susp_onenote_embedded_pe
1fdd22d	2023-01-21	add mal_macos_cointicker.yar
4ef6492	2023-01-22	add hacktool_shc
8ea4030	2023-01-23	add shc code identification
19bb4f7	2023-01-24	add mal_orat.yar
16fcd82	2023-01-24	mal_rat_spark.yara
168dcf1	2023-01-27	add info_macho_control_flow.yar
db9d1cf	2023-01-28	add macos_ui_frameworks
e67e853	2023-01-29	add mal_cia_ransomware
5d3bcb0	2023-01-30	add file_car
4ac1944	2023-01-31	add info_macho_lc_cmds
28ffb3c	2023-02-01	fix: hacktool_shc.yar
29d97b4	2023-02-02	add hacktool_ezuri.yar
25b8fdc	2023-02-03	add electron.yar
82de5f5	2023-02-04	add bundler_platypus
c95edc4	2023-02-05	add macho_entitlehash.yar
6fe29e6	2023-02-05	add macho_entitlehash_ex
5c5b182	2023-02-06	add susp_macho_entitlements
c1e77e2	2023-02-07	add info_dyld_env.yar
8ba1e73	2023-02-08	add macho_section_restricted
46ed8ae	2023-02-09	add macho_pagezero
9c18d49	2023-02-10	add macho_text_protected
22512e4	2023-02-11	add macho_missing_text.yar
14d52e1	2023-02-12	remove private rules with De Morgans Law
a11bcc9	2023-02-13	add macho_entrophy
68efa64	2023-02-14	add file_nib
d6a3c3c	2023-02-15	add macos_bundle_qlgenerator
849d5de	2023-02-16	add macos_bundle_mdimporter
517133c	2023-02-17	add macos_bundle_saver
c9d6008	2023-02-18	add macos_bundle_colorpicker
f551be4	2023-02-19	add mal_iwebservices
91c204e	2023-02-20	add file_icns
c837a37	2023-02-21	add macos_cloudmensis
c56fa46	2023-02-24	add susp_encoded_ip
d9f7686	2023-02-25	add mal_final_cut_pro
bc29242	2023-02-26	add i2pd
636f729	2023-02-27	add mal_ddosia.yar
1b3508f	2023-02-28	add mal_macos_systemd
625bf29	2023-03-02	add macho_no_pagezero
ec1b642	2023-03-03	add mal_macos_xslcmd
679cefa	2023-03-04	add mal_macos_pureland
8207868	2023-03-05	add mal_macos_coinminer
88e2486	2023-03-06	add susp_macos_elitelogger
4ed3eef	2023-03-07	add info_nop_sled.yar
dc73935	2023-03-08	fix: loosen pureland condition
7ea98af	2023-03-09	add mal_macos_loselose
deeb712	2023-03-10	add mal_macos_netwire
6e72700	2023-03-11	add mal_macos_weaponx
6c9ded5	2023-03-12	add susp_macos_sniperspy.yar
4409a0d	2023-03-13	add info_macos_xattrs
72b523c	2023-03-14	exploit-cve-2023-23397
6469401	2023-03-15	add susp_macos_shellcode
ad5913c	2023-03-16	add program_thing.yar
e099ce5	2023-03-17	add susp_macho_loader
00ea13e	2023-03-18	add crossrat
e1c8066	2023-03-19	add mal_macos_rshell.yar
a2b6cfc	2023-03-20	add mal_macos_ventir
1e51f29	2023-03-21	add mal_macos_ventir_keylog
4f92847	2023-03-22	add mal_macos_ventir_watchdog
992f1e0	2023-03-23	add mal_macos_silver_sparrow.yar
2d3c828	2023-03-24	add mal_macos_silver_sparrow
26296fc	2023-03-25	add mal_macos_fkcodec.yar
ab3d371	2023-03-26	add mal_macos_macstealer
0662b8a	2023-03-27	add lang_python_bytecode
2bd09df	2023-03-28	add info_python_nuitka
826e28b	2023-03-29	add file_ipsw
a73700f	2023-03-30	add mal_macos_smoothoperator
d2a8f16	2023-03-31	add info_macho_python
315905f	2023-04-01	add info_padded_dmg.yar
fb36697	2023-04-02	add file_sdef.yar
5e7f62c	2023-04-03	add mal_macos_smoothoperator_updateagent
79faa2d	2023-04-04	fix: mal_macos_smoothoperator
67e9abd	2023-04-05	add exploit-cve-2022-46689
74e92dc	2023-04-06	add info_macos_scpt_applet
4f7ec14 2023-04-07  add mal_macos_dacls
8eacd72 2023-04-08  add info_macos_file_metadata
ab25e9b 2023-04-09  add macos_bundle_findersync_appex

The best of rules and the worst of rules

My personal favorite rule for hunting/clustering malware families is the EntitleHash where we take the Mach-O entitlements in a code signed executable and hash those for clustering. It works fairly well to bucket malware in a TTP sense but not on authorship.

import "console"
import "hash"

private rule macho_entitlehash
		description = "Identify code signed entitlements in Mach-o files, then hash them"
		author = "@shellcromancer"
		version = "1.0"
		date = "2023.02.05"
		DaysofYARA = "36/100"

		$cs_magic = { fa de 0c 00 } private
		$cs_magic_entitlement = { fa de 71 71 } private

			uint32(0) == 0xfeedface or // Mach-O MH_MAGIC
			uint32(0) == 0xcefaedfe or // Mach-O MH_CIGAM
			uint32(0) == 0xfeedfacf or // Mach-O MH_MAGIC_64
			uint32(0) == 0xcffaedfe or // Mach-O MH_CIGAM_64
			uint32(0) == 0xcafebabe or // Mach-O FAT_MAGIC
			uint32(0) == 0xbebafeca    // Mach-O FAT_CIGAM
		) and
		all of them and
			Entitlements XML stored in:
			@cs_magic_entitlement + 8 -> @cs_magic_entitlement + uint32be(@cs_magic_entitlement+4)
		for any i in (1 .. #cs_magic_entitlement) : (
				"Entitlehash: ",
					@cs_magic_entitlement[i] + 8,
					@cs_magic_entitlement[i] + uint32be(@cs_magic_entitlement[i] + 4)

The rule I was most disappointed with was info_padded_dmg just because I was hoping it would be more helpful in finding malicious installers. Unfortunately, sorting through the high false positive rate isn’t feasible.

rule info_padded_dmg
    description = "Identify Apple DMG with padding between the plist and trailer sections."
    author = "@shellcromancer"
    version = "1.0"
    date = "2023.04.01"
    reference = "https://objective-see.org/blog/blog_0x70.html"
    DaysofYARA = "91/100"

    $plist = "</plist>\x0a"

    uint32be(filesize - 512) == 0x6b6f6c79 and  // "koly" trailer of DMG
    not $plist at filesize - 521  // trailer is not prefixed by property list

What’s next

While I keep writing rules I want figure out a better way to manage them so I’m scoping out loading samples into Synapse Vertex and using their YARA plugin for analysis. This seems like a great way to offload stuff from my laptop and dive into their modeling, but the YARA power-up seems to be gated for enterprise customers 😕.

In addition to analyzing macOS specific malware, I want to introduce some new features to the YARA macho module to bring it with parity the PE module. I don’t want to introduce bugs, and I need to learn Rust so maybe these are candidates to check out while porting the Mach-O module for yara-x!

  • Mach-O module: add iterable load command list w/ offset, type, and size. Allows using static offsets into known structures for contents like reading LC_UUIDs, and more
  • Mach-O module: add code signature information, including entitlements
  • Mach-O module: add iterable export/import lists

To aid in triaging samples I want to see if some macOS Binary Refinery units can be added. Specifically around extracting contents from Apple archive formats like DMGs, PKGs, and individual Mach-O’s from a FAT archive (similar to the lipo tool on macOS but with pipe-able output).

Outside of macOS specifics I want to build out a more detailed YARA plugin for Binary Ninja to bring it’s quick signature toolkit close to what the Cutter YARA plugin does (a recent plugin by birch helps this a lot!).

Most importantly, I’m going to take some time off with my family since I’ll be a dad in a week 🎉 (some people don’t think my dog counts 🙄).


Thank you to @greglesnewich for starting the #100DayofYARA trend last year, continuing it this year, and chatting with me as we went through the 2023 edition (and for the sick mug)!


Thank you to other folks contributing rules and keeping up the streak as well like @BitsOfBinary, @Qutluch, @silascutler, @stvemillertime (c’mon YARA is in his name!), @dan__mayer, @wxs, @notareverser, @th3_protoCOL, and I’m sure many others that I’m missing!