Hunting Evil with YARA (Linux Edition)

Could anyone help me in this exercies please. i am stuck here since days.

Question is:

Study the following resource Threat Report: Illuminating Volume Shadow Deletion - VMware Security Blog - VMware to learn how WannaCry performs shadow volume deletion. Then, use yarascan when analyzing “/home/htb-student/MemoryDumps/compromised_system.raw” to identify the process responsible for deleting shadows. Enter the name of the process as your answer.

i studyed the give link and created a file with rule.yar with the rule from the website. then i scanned with yarascan:

vol.py -f /home/htb-student/MemoryDumps/compromised_system.raw yarascan -y /home/htb-student/Rules/yara/rule.yar

but i always get error messages and all process names i tryed are wrong.

I’m facing the same problem, did you manage to solve it?

no sorry :frowning:

I finally got it

After copying the rule provided on the website, run this:
vol.py -f /home/htb-student/MemoryDumps/compromised_system.raw yarascan -U “shadowcopy”

Then check pid 3100

2 Likes

I wanna add some words
1st, make sure your YARA rule is written correctly and matches the WannaCry features described in the threat report. You may need to adapt the rule or use other methods to find the process in the memory dump. Next, check that you are specifying the correct path to the YARA rules file when running the yarascan command. Make sure the path is correct and the file is readable. Also make sure you use the correct command format to run yarascan and specify the correct memory image path format.

shadow is the keyword

The author mentioned a Yara rule with -U filter, then you have to look for something shadowcopy related. There’s a process related with PID, process name is the answer (not .exe, @something@)

I cut and pasted the yara file from the blog site. see below.
Then ran the command below (from the module). It gives an error.
There is an unmatched “)” in the yara file from the blogpost.
I tried to fix by finding a matching “(” it but was not able to do so.
I then used the yara file from below link and got the answer.


https://unprotect.it/technique/volume-shadow-copy-service-vscvss-deletion/

one more addition … if you take the yara rule as given in the blogpost and send it to unpac.me for validation it fails. It identfies the unmatched “)” as a problem.

I played around some more with the rule and found the correct location of the opening “(”.
The fix is on line 18.

Look for one of the commands in the lesson, and then add the -U filter. Filter with shadowcopy

Very Important: The name of the process is not a standard normal process which you see in Yara findings. It is a custom name near the pid between @s. Took me 2 hours after trying the appeared win processes 100 times.