take an in-depth look at the YARA framework in order to understand how to create a quality signature that can be used to dete
take an in-depth look at the YARA framework in order to understand how to create a quality signature that can be used to detect malicious files associated with an alleged Iranian threat group known as "Leafminer."
More information on YARA can be found via the following webpage: https://blog.malwarebytes.com/security-world/technology/2017/09/explained-yara-rules/
Requirements:
1) In 1-2 paragraphs, please describe what the YARA framework is and why it has been widely adopted by cyber threat intelligence analysts in order to identify malware associated with bad actors. 150 words
2) In 1-2 paragraphs, please provide a brief overview of the Leafminer threat group based upon information contained in the following article: https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east 150 words
3) Using VirusTotal, please search for the following file hash: 1232366c104bdb6e42b04adb7eff4e08
- Please analyze this sample (using both VT and the metadata in the attached text file) and write a YARA signature that contains unique strings that is likely to produce true positive results for threat hunting activities
- Here's an example of a rule template you can use when writing your rule:
- rule Leafminer { strings: $s1 = "Sorgu.exe" wide ascii $s2 = "https://iqhost.us:3389/" wide ascii condition: any of them }
You are encouraged to perform additional open source research on the topics of YARA and Leafminer as necessary to support your submission. Please provide a list of all external sources (URLs are sufficient) on the last page of your report.
ASCII Strings: ===================== This program cannot be run in DOS mode. .reloc v2.0.50727 Strings Sorgu.exe <Module> mscorlib Object System <>c__DisplayClass9_0 <>c__DisplayClass11_0 MainService CmdService System.ServiceProcess ServiceBase Program ProjectInstaller System.Configuration.Install Installer PoweredByAttribute SmartAssembly.Attributes Attribute _handle _timer System.Threading _counter <>9__6_0 RemoteCertificateValidationCallback System.Net.Security StringBuilder System.Text serviceProcessInstaller ServiceProcessInstaller serviceInstaller ServiceInstaller .cctor OnStart OnStop TimerElasped SendRequest Action WebClient System.Net action RunCmd argument GetKey EmptyWorkingSet hwProc psapi.dll InitializeComponent Process System.Diagnostics TimerCallback WebHeaderCollection HttpRequestHeader Component System.ComponentModel ProcessStartInfo Encoding ProcessWindowStyle DataReceivedEventHandler �Exception <.ctor>b__6_0 X509Certificate System.Security.Cryptography.X509Certificates X509Chain SslPolicyErrors errors <TimerElasped>b__0 client <TimerElasped>b__1 <RunCmd>g__DoEvent0 DataReceivedEventArgs ServiceAccount ServiceStartMode InstallerCollection AssemblyCompanyAttribute System.Reflection AssemblyProductAttribute ComVisibleAttribute System.Runtime.InteropServices NeutralResourcesLanguageAttribute System.Resources AssemblyFileVersionAttribute AssemblyCopyrightAttribute RuntimeCompatibilityAttribute System.Runtime.CompilerServices CompilationRelaxationsAttribute DebuggableAttribute DebuggingModes AssemblyDescriptionAttribute AssemblyTitleAttribute CompilerGeneratedAttribute RunInstallerAttribute String Invoke DateTime get_UtcNow get_Ticks Registry Microsoft.Win32 LocalMachine RegistryKey OpenSubKey ToString GetValue SetValue ServicePointManager set_ServerCertificateValidationCallback SetTcpKeepAlive GetCurrentProcess get_Handle Change Dispose IsNullOrEmpty get_Headers set_Item get_StartInfo set_UseShellExecute set_ErrorDialog set_RedirectStandardError set_RedirectStandardOutput set_RedirectStandardInput set_CreateNoWindow get_UTF8 �set_StandardErrorEncoding set_StandardOutputEncoding set_WindowStyle set_FileName Concat set_Arguments add_OutputDataReceived add_ErrorDataReceived BeginOutputReadLine WaitForExit get_Message set_AutoLog DownloadString GetBytes UploadData get_Data AppendLine set_Account set_Password set_Username set_Description set_DisplayName set_ServiceName set_StartType get_Installers AddRange Microsoft Corporation Microsoft Windows Operating System 6.1.7600.0 Microsoft Corporation. All rights reserved. WrapNonExceptionThrows Host Process for Windows Services Powered by SmartAssembly 6.11.1.354 _CorExeMain mscoree.dll xml version="1.0" encoding="UTF-8" standalone="yes" — Copyright (c) Microsoft Corporation –> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="5.1.0.0" processorArchitecture="amd64" name="Microsoft.Windows.Services.SvcHost" type="win32" <description>Host Process for Windows Services</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </assembly> Unicode Strings: ===================== cmd.exe SOFTWAREClasses* Timespan https://adobe-flash.us:3389/ �Group Policy Manager gpmsvc The service is responsible for managing settings for the computer and users through the Group Policy component. If the service is disabled, the settings will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is disabled. VS_VERSION_INFO VarFileInfo Translation StringFileInfo 000004b0 Comments Host Process for Windows Services CompanyName Microsoft Corporation FileDescription Host Process for Windows Services FileVersion 6.1.7600.0 InternalName Sorgu.exe LegalCopyright Microsoft Corporation. All rights reserved. OriginalFilename Sorgu.exe ProductName Microsoft Windows Operating System ProductVersion 6.1.7600.0 Assembly Version 0.0.0.0 �
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
