More Yara Support including Yara Rules for Rats

web/static/js/volutility.js

@@ -185,6 +185,7 @@ function ajaxHandler(command, postFields, spinner) {
         postOptions['yara-case'] = $('#yara-case').prop('checked');
         postOptions['yara-kernel'] = $('#yara-kernel').prop('checked');
         postOptions['yara-wide'] = $('#yara-wide').prop('checked');
+        postOptions['yara-file'] = $('#yara-file').val();
     }
 
     if (command == 'memhex' || command == 'memhexdump'){

web/templates/modals/yara_modal.html

@@ -6,61 +6,55 @@
 
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
-                <h4 class="modal-title">Add Session</h4>
+                <h4 class="modal-title">Yara Scanner</h4>
             </div>
 
             <div class="modal-body">
 
-
-                <ul class="nav nav-pills">
-                    <li class="active"><a data-toggle="pill" href="#yarastrings">Manual Rule</a></li>
-                    <li><a data-toggle="pill" href="#rulefile">Rule File</a></li>
-                </ul>
-
-                <div class="tab-content">
-                    <div id="yarastrings" class="tab-pane fade in active">
-                        <h4>Yara Strings</h4>
-                        <form class="form">
-                          <div class="form-group">
-                            <input type="text" class="form-control" id="yara-string" placeholder="Search String">
-                          </div>
-                          <div class="form-group">
-                            <input type="text" class="form-control" id="yara-hex" placeholder="Size of hexdump preview (256b)">
-                          </div>
-                          <div class="form-group">
-                            <input type="text" class="form-control" id="yara-reverse" placeholder="Reverse this many bytes">
-                          </div>
-
-                          <div class="checkbox">
-                            <label>
-                              <input type="checkbox" id="yara-case"> Case Insensative
-                            </label>
-                          </div>
-
-                          <div class="checkbox">
-                            <label>
-                              <input type="checkbox" id="yara-kernel"> Scan Kernel Modules
-                            </label>
-                          </div>
-
-                          <div class="checkbox">
-                            <label>
-                              <input type="checkbox" id="yara-wide"> Match Unicode Strings (Wide)
-                            </label>
-                          </div>
-
-
-
-                            <a href="#" onclick="ajaxHandler('yara-string', {'session_id':'{{session_details|get:"_id"}}', 'target_div':'yara-out'}, false )" class="btn btn-info" role="button">Scan for Strings</a>
-                        </form>
-                    </div>
-
-
-                    <div id="rulefile" class="tab-pane fade">
-                        <h4>VirusTotal</h4>
-                    </div>
-                </div>
-
+                <form class="form">
+                  <div class="form-group">
+                    <input type="text" class="form-control" id="yara-string" placeholder="Search for a String">
+                  </div>
+                  <div class="form-group">
+                      <select class="form-control" id="yara-file">
+                          <option class="text-muted">OR Select a Yara File</option>
+                          {% for rulefile in yara_list %}
+                            <option value="{{rulefile}}">{{rulefile}}</option>
+                          {% endfor %}
+                      </select>
+                  </div>
+                  <div class="form-group">
+                    <input type="text" class="form-control" id="yara-hex" placeholder="Size of hexdump preview (256b)">
+                  </div>
+                  <div class="form-group">
+                    <input type="text" class="form-control" id="yara-reverse" placeholder="Reverse this many bytes">
+                  </div>
+
+                  <div class="checkbox">
+                    <label>
+                      <input type="checkbox" id="yara-case"> Case Insensative
+                    </label>
+                  </div>
+
+                  <div class="checkbox">
+                    <label>
+                      <input type="checkbox" id="yara-kernel"> Scan Kernel Modules
+                    </label>
+                  </div>
+
+                  <div class="checkbox">
+                    <label>
+                      <input type="checkbox" id="yara-wide"> Match Unicode Strings (Wide)
+                    </label>
+                  </div>
+
+
+
+                    <a href="#" onclick="ajaxHandler('yara-string', {'session_id':'{{session_details|get:"_id"}}', 'target_div':'yara-out'}, false )" class="btn btn-info" role="button">Scan for Strings</a>
+                </form>
+
+
+                <hr>
 
                 <div id="yara-out"></div>
 

web/templates/session.html

@@ -113,7 +113,7 @@ <h3 class="panel-title">Image Information</h3>
       <form class="navbar-form navbar-left" role="search">
 
         <div class="form-group">
-            <label for="compression">Search Type</label>
+            <label for="search_type">Search Type</label>
             <select class="form-control" id="search_type" name="SearchType">
               <option value="plugin">plugin output</option>
               <option value="hash">Hash</option>

web/views.py

@@ -182,6 +182,7 @@ def session_page(request, sess_id):
     session_details = db.get_session(session_id)
     comments = db.get_commentbysession(session_id)
     plugin_list = []
+    yara_list = os.listdir('yararules')
     plugin_text = db.get_pluginbysession(ObjectId(sess_id))
     version_info = {'python': str(sys.version).split()[0],
                     'volatility': vol_interface.vol_version,
@@ -193,7 +194,8 @@ def session_page(request, sess_id):
                                             'plugin_output': plugin_text,
                                             'comments': comments,
                                             'error_line': error_line,
-                                            'version_info': version_info})
+                                            'version_info': version_info,
+                                            'yara_list': yara_list})
 
 
 # Post Handlers
@@ -242,7 +244,6 @@ def create_session(request):
         profiles = []
 
         for line in lines.split('\n'):
-            print line
             if 'Profile suggestion' in line:
                 profiles.append(line.split(':')[1].strip())
 
@@ -690,11 +691,15 @@ def ajax_handler(request, command):
 
     if command == 'yara-string':
 
-        print request.POST
+        session_id = request.POST['session_id']
 
+        if request.POST['yara-string'] != '':
+            yara_string = request.POST['yara-string']
+        else:
+            yara_string = False
 
-        session_id = request.POST['session_id']
-        yara_string = request.POST['yara-string']
+        if request.POST['yara-file'] != '':
+            yara_file = os.path.join('yararules', request.POST['yara-file'])
 
         yara_hex = request.POST['yara-hex']
         if yara_hex != '':
@@ -731,13 +736,26 @@ def ajax_handler(request, command):
         try:
             session = db.get_session(ObjectId(session_id))
             vol_int = RunVol(session['session_profile'], session['session_path'])
-            results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_RULES': yara_string,
+
+            if yara_string:
+                results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_RULES': yara_string,
+                                                                                          'CASE': yara_case,
+                                                                                          'ALL': yara_kernel,
+                                                                                          'WIDE': yara_wide,
+                                                                                          'SIZE': yara_hex,
+                                                                                          'REVERSE': yara_reverse})
+
+            elif yara_file:
+                results = vol_int.run_plugin('yarascan', output_style='json', plugin_options={'YARA_FILE': yara_file,
                                                                                           'CASE': yara_case,
                                                                                           'ALL': yara_kernel,
                                                                                           'WIDE': yara_wide,
                                                                                           'SIZE': yara_hex,
                                                                                           'REVERSE': yara_reverse})
 
+            else:
+                return
+
 
 
             if 'Data' in results['columns']:
@@ -750,7 +768,9 @@ def ajax_handler(request, command):
                         logger.warning('Error converting hex to str: {0}'.format(e))
 
 
-            return render(request, 'plugin_output.html', {'plugin_results': results})
+            return render(request, 'plugin_output.html', {'plugin_results': results,
+                                                          'plugin_id': None,
+                                                          'bookmarks': []})
             #return HttpResponse(results)
         except Exception as error:
             logger.error(error)

yararules/AAR.yar

@@ -0,0 +1,21 @@
+rule AAR
+{
+	meta:
+		author = " Kevin Breen <[email protected]>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/AAR"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "Hashtable"
+		$b = "get_IsDisposed"
+		$c = "TripleDES"
+		$d = "testmemory.FRMMain.resources"
+		$e = "$this.Icon" wide
+		$f = "{11111-22222-20001-00001}" wide
+		$g = "@@@@@"
+
+	condition:
+		all of them
+}

yararules/Adzok.yar

@@ -0,0 +1,24 @@
+rule Adzok
+{
+	meta:
+		author = " Kevin Breen <[email protected]>"
+		Description = "Adzok Rat"
+		Versions = "Free 1.0.0.3,"
+		date = "2015/05"
+		ref = "http://malwareconfig.com/stats/Adzok"
+		maltype = "Remote Access Trojan"
+		filetype = "jar"
+
+	strings:
+		$a1 = "config.xmlPK"
+		$a2 = "key.classPK"
+		$a3 = "svd$1.classPK"
+		$a4 = "svd$2.classPK"
+   		$a5 = "Mensaje.classPK"
+		$a6 = "inic$ShutdownHook.class"
+		$a7 = "Uninstall.jarPK"
+		$a8 = "resources/icono.pngPK"
+        
+	condition:
+    		7 of ($a*)
+}

yararules/AlienSpy.yar

@@ -0,0 +1,46 @@
+rule AlienSpy
+{
+    meta:
+        author = "Kevin Breen"
+        ref = "http://malwareconfig.com/stats/AlienSpy"
+        maltype = "Remote Access Trojan"
+        filetype = "jar"
+
+    strings:
+        $PK = "PK"
+        $MF = "META-INF/MANIFEST.MF"
+    
+        $a1 = "a.txt"
+        $a2 = "b.txt"
+        $a3 = "Main.class"
+    
+        $b1 = "ID"
+        $b2 = "Main.class"
+        $b3 = "plugins/Server.class"
+    
+        $c1 = "resource/password.txt"
+        $c2 = "resource/server.dll"
+    
+        $d1 = "java/stubcito.opp"
+        $d2 = "java/textito.isn"
+    
+        $e1 = "java/textito.text"
+        $e2 = "java/resources.xsx"
+    
+        $f1 = "amarillo/asdasd.asd"
+        $f2 = "amarillo/adqwdqwd.asdwf"
+
+        $g1 = "config/config.perl"
+        $g2 = "main/Start.class"
+        
+        $o1 = "config/config.ini"
+        $o2 = "windows/windows.ini"
+        $o3 = "components/linux.plsk"
+        $o4 = "components/manifest.ini"
+        $o5 = "components/mac.hwid"
+        
+
+    condition:
+        $PK at 0 and $MF and
+        (all of ($a*) or all of ($b*) or all of ($c*) or all of ($d*) or all of ($e*) or all of ($f*) or all of ($g*) or any of ($o*))
+}

yararules/Ap0calypse.yar

@@ -0,0 +1,20 @@
+rule Ap0calypse
+{
+	meta:
+		author = " Kevin Breen <[email protected]>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Ap0calypse"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+	strings:
+		$a = "Ap0calypse"
+		$b = "Sifre"
+		$c = "MsgGoster"
+		$d = "Baslik"
+		$e = "Dosyalars"
+		$f = "Injecsiyon"
+
+	condition:
+		all of them
+}

yararules/Arcom.yar

@@ -0,0 +1,20 @@
+rule Arcom
+{
+	meta:
+		author = " Kevin Breen <[email protected]>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/Arcom"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+    strings:
+        $a1 = "CVu3388fnek3W(3ij3fkp0930di"
+        $a2 = "ZINGAWI2"
+        $a3 = "clWebLightGoldenrodYellow"
+        $a4 = "Ancestor for '%s' not found" wide
+        $a5 = "Control-C hit" wide
+        $a6 = {A3 24 25 21}
+        
+    condition:
+        all of them
+}

yararules/Bandook.yar

@@ -0,0 +1,27 @@
+rule Bandook
+{
+
+	meta:
+		author = " Kevin Breen <[email protected]>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/bandook"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+    strings:
+    		$a = "aaaaaa1|"
+            $b = "aaaaaa2|"
+            $c = "aaaaaa3|"
+            $d = "aaaaaa4|"
+			$e = "aaaaaa5|"
+			$f = "%s%d.exe"
+			$g = "astalavista"
+			$h = "givemecache"
+			$i = "%s\\system32\\drivers\\blogs\\*"
+			$j = "bndk13me"
+			
+
+        
+    condition:
+    		all of them
+}

yararules/BlackNix.yar

@@ -0,0 +1,20 @@
+rule BlackNix
+{
+	meta:
+		author = " Kevin Breen <[email protected]>"
+		date = "2014/04"
+		ref = "http://malwareconfig.com/stats/BlackNix"
+		maltype = "Remote Access Trojan"
+		filetype = "exe"
+
+    strings:
+		$a1 = "SETTINGS" wide
+		$a2 = "Mark Adler"
+		$a3 = "Random-Number-Here"
+		$a4 = "RemoteShell"
+		$a5 = "SystemInfo"
+
+	
+	condition:
+		all of them
+}