[clamav-users] Keymarble Yara rule?

[Alessandro Vesely]

On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote:

> I don't quite understand why you think it might not detect it. 
> 
> Text strings are not required to have an even number of digits. The hex
> equivalent to that string would be: {62 63 39 [...] 34 30}. As
> long as the string appears in a file, it should match.

That's right.

I thought it is unlikely to find a 65 bytes binary sequence, so it looked wrong to me.  Perhaps, that's a wrong conjecture, since a malware writer may want to hard code crypto data in the executable.  The sequence doesn't seem to be code.

> I'd have to have the actual sample file in order to say anything more about it.

I don't attach it, as it may appear to be a (broken) executable.  Using an xxd[*] dump (instead of hd) solves the problem since xxd is reversible and idempotent:

~/tmp$ diff -s <(xxd -g 1 keymarble-dummy) <(xxd -g 1 keymarble-dummy|xxd -r|xxd -g 1)
Files /dev/fd/63 and /dev/fd/62 are identical

So you can copy the following to a file and revert to binary:

~/tmp$ xxd -g 1 keymarble-dummy
00000000: 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d  MZthis is a dumm
00000010: 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65  y keymarble file
00000020: 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b   created for mak
00000030: 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00  ing tests... at ...
00000040: 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38  PEbc9b75a3117758
00000050: 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66  7245305cd418b8df
00000060: 37 38 36 35 32 64 31 63 30 33 65 39 64 61 30 63  78652d1c03e9da0c
00000070: 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31  fc910d6d38ee4191
00000080: 64 34 30 0a 00

Best
Ale
-- 

[*] https://github.com/jnweiger/xxd
(But it's probably already installed on your box.)