Erroneous string regex in data/yara/memory/d*.yar

[JohnMarachuk]

Cuckoo output similar to:

YaraSyntaxError: /opt/cuckoo-modified/data/yara/index_memory.yar:37: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
/opt/cuckoo-modified/data/yara/index_memory.yar:55: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
/opt/cuckoo-modified/data/yara/index_memory.yar:68: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
/opt/cuckoo-modified/data/yara/index_memory.yar:81: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
2015-10-30 13:59:33,081 [lib.cuckoo.common.objects] ERROR: Unable to match Yara signatures: /opt/cuckoo-modified/data/yara/index_memory.yar:37: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
/opt/cuckoo-modified/data/yara/index_memory.yar:55: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
/opt/cuckoo-modified/data/yara/index_memory.yar:68: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
/opt/cuckoo-modified/data/yara/index_memory.yar:81: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_

Fixed by substituting end of regex lines using '/s' to just '/', in:

data/yara/memory/dyre.yar data/yara/memory/dridex.yar data/yara/memory/darkcomet.yar

[KillerInstinct]

What version of yara? IIRC i thought that was a switch for telling the regex to match multiline.

[JohnMarachuk]

Yara 3.3.0.

[JohnMarachuk]

Updated to 3.4.0, added back the '/s' and getting the above errors again...maybe I'm doing something wrong.

[KillerInstinct]

I am on 3.2.0 -- do the regexes work correctly without the /s on your version(s)?

[JohnMarachuk]

Good question. Volatility doesn't appear to be happy in general. Need to spend some time trying to fix these issues.

http://pastebin.com/RfWdV7P5

Edit: Setting the mem_profile within kvm.conf appears to have addressed the 'object has no attribute 'lower'', which is curious since I thought the global guest_profile would be inherited. I digress..back to yara scan.

Edit: Out of the frying pan... http://pastebin.com/83HTtuPX

[JohnMarachuk]

Sample identified as Darkcomet on VT:

https://www.virustotal.com/intelligence/search/?query=4a96a5248a2d642fce5a2d8de913be20c5e289df39fcaef7d54454acbef30eaf

Scores 10.0 in Cuckoo and flagged with "Creates known Fylonski/DarkComet mutexes". Yara flags "None matched".

With '/s' in darkcomet.yar, I get: http://pastebin.com/eUdzQjTn

Without, I get none of the pastebin yarascan synax errors, but also no Yara matches. Of course, the sample may not contain the same string(s).

[KillerInstinct]

The volatility warnings/errors are fine, should still generate the results dict with those logs. Though we should have some error handling for the IDT scans (it's only support for x86)

As for the dark comet sample, I don't have VT Intel -- could you share it otherwise? (Malwr/Hybrid analysis is fine with me)

[JohnMarachuk]

Hopefully this works: http://bit.ly/1l6IA3A

Usual zip password

[KillerInstinct]

This works fine for me with 3.2.0 -- this also does not work when I replace /s with /

Can you test with a version downgrade? I'm looking through Yara commits to see if there would be a reason otherwise.

EDIT: I should note that you have to completely restart cuckoo to reload yara rules, and not just reprocess the results, as the rules get loaded here: https://github.com/brad-accuvant/cuckoo-modified/blob/master/cuckoo.py#L61

#BEGIN DARKCOMET DATA --
MUTEX={DC_MUTEX-HBMKYX6}
SID={Guest16}
FWB={1}
NETDATA={<redacted>.ddns.net:1604}
GENCODE={B7tcokCtvfo1}
INSTALL={1}
COMBOPATH={7}
EDTPATH={MSDCSC\msdcsc.exe}
KEYNAME={MicroUpdate}
EDTDATE={16/04/2007}
PERSINST={1}
MELT={1}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
SH1={1}
SH4={1}
SH5={1}
SH6={1}
SH7={1}
SH8={1}
SH9={1}
SH10={1}
CHIDEF={1}
CHIDED={1}
PERS={1}
OFFLINEK={1}
#EOF DARKCOMET DATA --