For todays rule I wanted to learn more about the vt yara module. This module lets you acess metadata like antivirus signatures, file type, file behavior, submitter.
I've taken my generic .appx detection rule and have used the vt module to check for suspicious files using the vt conditionals to check for:
- files with more than 5 detections OR
- files with more than 1 detection that were uploaded from China or Russia
Here is the Yara rule that uses of the vt module to detect possible appx malware!
import "vt"
rule sus_appx_files {
meta:
author = "Colin Cowie"
description = "Detects suspicious appx files with the help of the VirusTotal module"
reference = "https://twitter.com/f0wlsec/status/1481338661824307204"
strings:
$header = { 50 4B 03 04 }
$xml_string = "AppxManifest.xmlPK"
$ct_xml = "[Content_Types].xmlPK"
$ci_cat = "AppxMetadata/CodeIntegrity.catPK"
$signature_string = "AppxSignature.p7xPK"
$block_map = "AppxBlockMap.xmlPK"
condition:
$header at 0
and $xml_string and $ct_xml and $ci_cat and $signature_string and $block_map
and (vt.metadata.analysis_stats.malicious > 5 or (vt.metadata.analysis_stats.malicious > 1 and (vt.metadata.submitter.country == "CN" or vt.metadata.submitter.country == "RU")))
}
Added in these vt conditionals significantly trimmed down the number of results.