Take an in-depth look at the YARA framework in order to understand how to create a quality signature that can be used to detect malicious files associated with an alleged Iranian threat group known as “Leafminer.”
More information on YARA can be found via the following webpage: https://blog.malwarebytes.com/security-world/technology/2017/09/explained-yara-rules/
Requirements:
1) In 1-2 paragraphs, please describe what the YARA framework is and why it has been widely adopted by cyber threat intelligence analysts in order to identify malware associated with bad actors. 150 words
2) In 1-2 paragraphs, please provide a brief overview of the Leafminer threat group based upon information contained in the following article: https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east 150 words
3) Using VirusTotal, please search for the following file hash: 1232366c104bdb6e42b04adb7eff4e08
- Please analyze this sample (using both VT and the metadata in the attached text file) and write a YARA signature that contains unique strings that is likely to produce true positive results for threat hunting activities
- Here’s an example of a rule template you can use when writing your rule:
- rule Leafminer { strings: $s1 = “Sorgu.exe” wide ascii $s2 = “https://iqhost.us:3389/” wide ascii condition: any of them }
You are encouraged to perform additional open source research on the topics of YARA and Leafminer as necessary to support your submission. Please provide a list of all external sources (URLs are sufficient) on the last page of your report.
