Merge pull request #434 from adepasquale/feature/yara-ci-config

Update Yara CI config
CAPESandbox · May 14, 2024 · 30a130d · 30a130d
2 parents ae6f8a0 + ade01d8
commit 30a130d
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 73 deletions.
diff --git a/.yara-ci.yml b/.yara-ci.yml
@@ -1,16 +1,12 @@
 files:
   accept:
-  - "data/yara/CAPE/*.yar"
-  - "data/yara/memory/*.yar"
-  - "data/yara/binary/*.yar"
-  - "data/yara/urls/*.yar"
+  - "data/yara/**.yar"
+  ignore:
+  - "data/yara/deprecated/**.yar"
+  - "data/yara/CAPE/deprecated/**.yar"
 
 false_positives:
-  ignore:
-   - rule: "shellcode_stack_strings"
-   - rule: "shellcode_get_eip"
-   - rule: "shellcode_peb_parsing"
-   - rule: "shellcode_patterns"
-   - rule: "lsadump"
-   - rule: "UPX"
-   - rule: "INDICATOR_EXE_Packed_Dotfuscator"
+  disabled: true
+
+false_negatives:
+  disabled: true
diff --git a/data/yara/CAPE/GetCrypt.yar b/data/yara/CAPE/GetCrypt.yar
@@ -19,8 +19,26 @@ rule GetCrypt {
         $s6 = "ntdll.dll" fullword ascii
         $s7 = "WNetCancelConnection2W" fullword ascii
         $s8 = ".%c%c%c%c" fullword wide
-        // is slowing down scanning
-        $s9 = /([Gg]uest|[Aa]dministrator|[Dd]eveloper|[Rr][0Oo]{2}t|[Aa]dmin)/ fullword ascii wide
+        $s9 = /([Gg]uest|[Aa]dmin(istrator)?|[Dd]eveloper)/ fullword ascii wide
+        // /[Rr][0Oo]t/ is slowing down scanning
+        $r0 = "R00t" fullword ascii wide
+        $r1 = "R0Ot" fullword ascii wide
+        $r2 = "R0ot" fullword ascii wide
+        $r3 = "RO0t" fullword ascii wide
+        $r4 = "ROOt" fullword ascii wide
+        $r5 = "ROot" fullword ascii wide
+        $r6 = "Ro0t" fullword ascii wide
+        $r7 = "RoOt" fullword ascii wide
+        $r8 = "Root" fullword ascii wide
+        $r9 = "r00t" fullword ascii wide
+        $r10 = "r0Ot" fullword ascii wide
+        $r11 = "r0ot" fullword ascii wide
+        $r12 = "rO0t" fullword ascii wide
+        $r13 = "rOOt" fullword ascii wide
+        $r14 = "rOot" fullword ascii wide
+        $r15 = "ro0t" fullword ascii wide
+        $r16 = "roOt" fullword ascii wide
+        $r17 = "root" fullword ascii wide
         $s10 = { 43 72 79 70 74 49 6d 70 6f 72 74 4b 65 79 00 00
                  cb 00 43 72 79 70 74 45 6e 63 72 79 70 74 00 00
                  c1 00 43 72 79 70 74 41 63 71 75 69 72 65 43 6f
@@ -32,5 +50,5 @@ rule GetCrypt {
                  00 00 b5 01 53 68 65 6c 6c 45 78 65 63 75 74 65
                  45 78 57 00 53 48 45 4c 4c 33 32 2e 64 6c 6c 00 }
     condition:
-        uint16(0) == 0x5a4d and (3 of ($x*) or 8 of ($s*))
+        uint16(0) == 0x5a4d and (3 of ($x*) or 8 of ($s*) or (7 of ($s*) and 1 of ($r*)))
 }
diff --git a/data/yara/binaries/Maldoc_PDF.yar b/data/yara/binaries/Maldoc_PDF.yar
@@ -60,7 +60,7 @@ weight = 3
 
     strings:
             $magic = { 25 50 44 46 }
-            $attrib = /\/Filter.*(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
+            $attrib = /\/Filter.{,1024}(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
             // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
 
     condition: 
@@ -153,15 +153,11 @@ rule possible_exploit : PDF raw
 		$attrib3 = /\/ASCIIHexDecode/
 		$attrib4 = /\/ASCII85Decode/
 
-		$action0 = /\/Action/
 		$action1 = "Array"
-		$shell = "A"
 		$cond0 = "unescape"
-		$cond1 = "String.fromCharCode"
-		
 		$nop = "%u9090%u9090"
 	condition:
-		$magic in (0..1024) and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
+		$magic in (0..1024) and (2 of ($attrib*)) or ($action1 and $cond0 and $nop)
 }
 
 rule shellcode_blob_metadata : PDF raw
@@ -247,21 +243,6 @@ rule suspicious_embed : PDF raw
 		$magic in (0..1024) and 1 of ($meth*) and 2 of ($attrib*)
 }
 
-rule suspicious_obfuscation : PDF raw
-{
-	meta:
-		author = "Glenn Edwards (@hiddenillusion)"
-		version = "0.1"
-		weight = 2
-
-	strings:
-		$magic = { 25 50 44 46 }
-		$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
-		
-	condition:
-		$magic in (0..1024) and #reg > 5
-}
-
 rule invalid_XObject_js : PDF raw
 {
 	meta:
@@ -292,8 +273,8 @@ rule invalid_trailer_structure : PDF raw
         strings:
                 $magic = { 25 50 44 46 }
 				// Required for a valid PDF
-                $reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
-                $reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
+                $reg0 = /trailer\r?\n?.{,8192}\/Size.{,8192}\r?\n?/
+                $reg1 = /\/Root.{,8192}\r?\n?.{,8192}startxref\r?\n?.{,8192}\r?\n?%%EOF/
 
         condition:
                 $magic in (0..1024) and not $reg0 and not $reg1
@@ -399,8 +380,8 @@ rule invalid_xref_numbers : PDF raw
 
         strings:
                 $magic = { 25 50 44 46 }
-                $reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
-                $reg1 = /endstream.*\r?\n?endobj.*\r?\n?startxref/
+                $reg0 = /xref\r?\n?.{,8192}\r?\n?.{,8192}65535\sf/
+                $reg1 = /endstream.{,8192}\r?\n?endobj.{,8192}\r?\n?startxref/
         condition:
                 $magic in (0..1024) and not $reg0 and not $reg1
 }
@@ -486,4 +467,4 @@ rule PDF_Embedded_Exe : PDF
         $exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73}
     condition:
     	$header at 0 and $Launch_Action and $exe
-}
+}
diff --git a/data/yara/binaries/shellcodes.yar b/data/yara/binaries/shellcodes.yar
@@ -232,35 +232,3 @@ rule donut_shellcode_fixed {
         uint32(571) == 0 and
         uint32(575) == 0
 }
-
-rule donut_shellcode_relative {
-    meta:
-        description = "Tested against shellcodes x86/x64 generated by Donut v0.9.3"
-        author = "Telsy CTI team"
-        date = "18/11/2021"
-    strings:
-        // detect config space
-        $cspace = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (01|02) 00 00 00 (01|02|03) 00
-        00 00 00 00 00 00 00 00 00 00 }
-    condition:
-        for 1 i in (1 .. #cspace) :
-        (
-            // call near opcode
-            uint8(@cspace[i] - 469 ) == 232 and
-            uint32(@cspace[i] - 469 + 1) == uint32(@cspace[i] - 469 + 5) and
-            // xor generator key and xor xor initial key cannot be null it is 32 bytes
-            uint32(@cspace[i] - 469 + 9) != 0 and
-            uint32(@cspace[i] - 469 + 13) != 0 and
-            uint32(@cspace[i] - 469 + 17) != 0 and
-            uint32(@cspace[i] - 469 + 21) != 0 and
-            uint32(@cspace[i] - 469 + 25) != 0 and
-            uint32(@cspace[i] - 469 + 29) != 0 and
-            uint32(@cspace[i] - 469 + 33) != 0 and
-            uint32(@cspace[i] - 469 + 37) != 0 and
-            // after the two keys null uint32
-            uint32(@cspace[i] - 469 + 41) == 0
-        )
-}