How to post-process YARA rules generated by yarGen

Long ago I abandoned the objective of creating perfect YARA rules in a fully automatic process.

Therefore, the main purpose of yarGen is to create the best possible rules for manual post-processing. I can understand that this step of manual post-processing seems to be a tedious task. But believe me, the combination of clever automatic preselection and a critical human analyst beats both the fully manual and fully automatic generation process.

I’d like to show you how to create two great YARA rules for recently published Sofacy / APT28 / Tsar Team / Group 74 / Sednit / Fancy Bear / Pawn Storm samples. The video shows you how to process two YARA rules created by yarGen for the two Sofacy samples in about 5:30 minutes.

The results of the test run look very good. We’ve detected more related samples and don’t see a single false positive.

Munin results for the first test run of the Sofacy rules

Samples on which the YARA rules matched:

142f524121fe16e1c67031f12015be4adec42bb7       90d814baef9ed32ad1db5994abbd3eefa41204fb       cbeac781bd254bbc79f4eef5f0357e083491647d       476fc1d31722ac26b46154cbf0c631d60268b28a       142f524121fe16e1c67031f12015be4adec42bb7       8a68f26d01372114f660e32ac4c9117e5d0577f1

I committed the final rule to my signature-base repository:

Links

You can find the report on Group 74 activity by Cisco Talos threat intel team member Paul Rascagnères here:
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

yarGen Github repository:

--

--

Twitter: @cyb3rops Work: https://nextron-systems.com

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store