ft_macho yara signature has matching string condition to ft_java_class
Opened this issue · 0 comments
akniffe1 commented
while working on #40 I noticed that ft_macho was firing on a java class file:
fsfclient datar/fsf_dump_1485954008_9700feb2e081ce6a0eb9d8d6c10604e7/
{
"Scan Time": "2017-02-02 12:27:12.296612",
"Filename": "",
"Source": "Analyst",
"Object": {
"META_BASIC_INFO": {
"MD5": "",
"SHA1": "ff24ac9300e4fca38bb44b8750d393ce3babd79b",
"SHA256": "",
"SHA512": "12ca384903d66857adae386303d283b40d384d43e7ff1c8049477ff67fc842dc59218c77b0e14e6ca78804bfc62bf6d3d632ccee60efca8deab14750691a4de7",
"ssdeep": "12:zMGBtmHS8FwMqEaO4M/MTdy1blPC/MOWe93LbRF7MW1B0BRdW/fEKN9Ip2bie:AGBtmHS8bky1blqF3LbzF1izdWjT",
"Size": "664 bytes"
},
"SCAN_YARA": {
"ft_macho": {
"company": "BroEZ",
"lastmod": "September 5 2016",
"desc": "Signature to trigger on mach-o file format.",
"author": "Jamie Ford"
},
"ft_java_class": {
"company": "Emerson",
"lastmod": "20160126",
"desc": "File magic for detecting a Java bytecode file.",
"author": "Jason Batchelor"
}
},
"META_JAVA_CLASS": {
"implements": [
"a.a.a.A"
],
"name": "a",
"fields": [],
"platform": "1.5",
"constants_pool": [
{
"index": 1,
"type": "class",
"value": "#34"
},
{
"index": 2,
"type": "class",
"value": "#36"
},
{
"index": 3,
"type": "class",
"value": "#37"
},
{
"index": 4,
"type": "class",
"value": "#38"
},
{
"index": 5,
"type": "class",
"value": "#40"
},
{
"index": 6,
"type": "class",
"value": "#41"
},
{
"index": 7,
"type": "class",
"value": "#42"
},
{
"index": 8,
"type": "class",
"value": "#43"
},
{
"index": 9,
"type": "Field",
"value": "#2.#20"
},
{
"index": 10,
"type": "Field",
"value": "#2.#22"
},
{
"index": 11,
"type": "Field",
"value": "#5.#19"
},
{
"index": 12,
"type": "Method",
"value": "#1.#17"
},
{
"index": 13,
"type": "Method",
"value": "#4.#18"
},
{
"index": 14,
"type": "Method",
"value": "#6.#16"
},
{
"index": 15,
"type": "Method",
"value": "#8.#21"
},
{
"index": 16,
"type": "NameAndType",
"value": "#28:#23"
},
{
"index": 17,
"type": "NameAndType",
"value": "#36:#24"
},
{
"index": 18,
"type": "NameAndType",
"value": "#36:#27"
},
{
"index": 19,
"type": "NameAndType",
"value": "#36:#30"
},
{
"index": 20,
"type": "NameAndType",
"value": "#36:#33"
},
{
"index": 21,
"type": "NameAndType",
"value": "#39:#26"
},
{
"index": 22,
"type": "NameAndType",
"value": "#40:#31"
},
{
"index": 23,
"type": "Utf8",
"value": "()V"
},
{
"index": 24,
"type": "Utf8",
"value": "(LRunApplet;)La/a/a/h;"
},
{
"index": 25,
"type": "Utf8",
"value": "(Lb;Ljava/lang/String;)V"
},
{
"index": 26,
"type": "Utf8",
"value": "(Ljava/lang/Object;ILjava/lang/Object;II)V"
},
{
"index": 27,
"type": "Utf8",
"value": "(Ljava/lang/String;[Ljava/lang/String;)Ljava/lang/Object;"
},
{
"index": 28,
"type": "Utf8",
"value": "<init>"
},
{
"index": 29,
"type": "Utf8",
"value": "Code"
},
{
"index": 30,
"type": "Utf8",
"value": "LRunApplet;"
},
{
"index": 31,
"type": "Utf8",
"value": "Lb;"
},
{
"index": 32,
"type": "Utf8",
"value": "LineNumberTable"
},
{
"index": 33,
"type": "Utf8",
"value": "Ljava/lang/String;"
},
{
"index": 34,
"type": "Utf8",
"value": "RunApplet"
},
{
"index": 35,
"type": "Utf8",
"value": "SourceFile"
},
{
"index": 36,
"type": "Utf8",
"value": "a"
},
{
"index": 37,
"type": "Utf8",
"value": "a/a/a/A"
},
{
"index": 38,
"type": "Utf8",
"value": "a/a/a/h"
},
{
"index": 39,
"type": "Utf8",
"value": "arraycopy"
},
{
"index": 40,
"type": "Utf8",
"value": "b"
},
{
"index": 41,
"type": "Utf8",
"value": "java/lang/Object"
},
{
"index": 42,
"type": "Utf8",
"value": "java/lang/String"
},
{
"index": 43,
"type": "Utf8",
"value": "java/lang/System"
}
],
"source_file": "SourceFile",
"extends": "java.lang.Object",
"version": [
49,
0
],
"class_requires": [
"RunApplet",
"b",
"java.lang.Object",
"a.a.a.h.a(java.lang.String,java.lang.String[]):java.lang.Object",
"java.lang.System.arraycopy(java.lang.Object,int,java.lang.Object,int,int):void",
"java.lang.Object.<init>():void",
"java.lang.System",
"a.a.a.A",
"RunApplet.a(RunApplet):a.a.a.h",
"java.lang.String",
"a.a.a.h",
"b.a:RunApplet"
],
"class_provides": [
"a",
"a.a(java.lang.String,java.lang.String[]):java.lang.Object"
],
"methods": []
}
},
"Summary": {
"Yara": [
"ft_java_class",
"ft_macho"
],
"Modules": [
"META_BASIC_INFO",
"META_JAVA_CLASS",
"SCAN_YARA"
],
"Observations": []
},
"Alert": false
}
Running yara with the -s flag shows that both ft_java_class and ft_macho have a similar string they're targeting:
ft_java_class ../datar/fsf_dump_1485954008_9700feb2e081ce6a0eb9d8d6c10604e7/
0x0:$class: CA FE BA BE
ft_macho ../datar/fsf_dump_1485954008_9700feb2e081ce6a0eb9d8d6c10604e7/
0x0:$FAT_MAGIC: CA FE BA BE@zcatbear, is the $FAT_MAGIC string a sufficient enough trigger for a macho file if its the only string observed and is at the 0 offset? Unfortunately, thats the same string and offset for the java_class signature, so we'd need to add either additional conditions to the java_class signature or the macho signature.
Unfortunately because of the fact that both signatures need that exact string at the same offset and have no other conditionals / strings required to trigger a hit, we can't exactly just say in ft_macho that we're going to ignore hits on that string if we also had a fit on ft_java_class--like below.
rule ft_macho
{
meta:
author = "Jamie Ford"
company = "BroEZ"
lastmod = "September 5 2016"
desc = "Signature to trigger on mach-o file format."
strings:
$MH_CIGAM_64 = { CF FA ED FE }
$MH_MAGIC_64 = { FE ED FA CF }
$MH_MAGIC_32 = { FE ED FA CE }
$MH_CIGAM_32 = { CE FA ED FE }
$FAT_MAGIC = { CA FE BA BE }
$FAT_CIGAM = { BE BA FE CA }
condition:
($MH_CIGAM_64 at 0) or ($MH_MAGIC_64 at 0) or ($MH_CIGAM_32 at 0) or ($MH_MAGIC_32 at 0) or ($FAT_MAGIC at 0 and not ft_java_class) or ($FAT_CIGAM at 0)
}