Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

How to test yara rule?

I have the yara rule shown below from Kaspersky. I've put it in my Linux system running clamav-milter. I'd like to test this rule by sending a message. I've sent a message contaning string $a3, but it was not caught.

To test yara generally, I have created a simple rule with a single string and sent a message containing that string and it was caught, so yara rule checking is enabled.

Perhaps just sending string $a3 is insufficient? What does "uint16(0)" mean? That appears to be an "and" condition.
rule ransomware_exPetr {
meta:

    copyright = "Kaspersky Lab"
    description = "Rule to detect PetrWrap ransomware samples"
    last_modified = "2017-06-27"
    author = "Kaspersky Lab"
    hash = "71B6A493388E7D0B40C83CE903BC6B04"
    version = "1.0"

strings:

    $a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide
    $a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide
    $a3 = "DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii
    $a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii
    $a5 = "wowsmith123456@posteo.net." fullword wide

condition:

    uint16(0) == 0x5A4D and
    filesize < 1000000 and
    any of them
}

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of dfke
dfke
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark
Mark

ASKER

OK, I get it. The rule is searching for unsigned int 0x5A4D at offset 0. I presume it is searching in an attachment or whatnot. Doing a bit of research I found that 0x5A4D is,
The MS-DOS MZ executable format is the executable file format used for .EXE files in MS-DOS. The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the beginning of the file (the "magic number"). "MZ" are the initials of Mark Zbikowski, one of the developers of MS-DOS.
https://en.wikipedia.org/wiki/DOS_MZ_executable. So, it's testing for a .exe file.

I commented out the uint16 rule and sent a test message with an attachment having the "POWER CABLE" string and the milter caught it! Mystery solved.