DEV Community

loading...
Cover image for Raku malware analysis

Raku malware analysis

Paula
Threat Hunting analyst, used to be an offensive security expert. Privacy and Digital rights awareness. Teacher, sometimes.
・3 min read

Not long ago I explained how to do a simple malware analysis using Yara tool. Yara is nice, mostly because is the common query in most public resources of discovered malware. Although, I wondered about the limits of the rules, and how to look for regex conditionals as I would do in other TTP (Tactics, Techniques and Procedures) queries. Also I wondered if it might be more convenient for a light environment such as my manjaro RPI for malware analysis. SO anyway let's explore about Raku possibilities for this topic. First of all, Raku was created by some Perl enthusiasts, one of them (the one who also taught me about it) has a blog here too.

It's interesting because it keeps the ideal of making a language accessible but doesn't quite forget about the flexibility. One of the things that got me at first about it was the grammar options. Grammar let's you parse information, which is very useful for website back-end stuff (check it out!). But now, grammar has something called "rules" that lets you regex stuff in order to fit in a description.

But rules can be used apart from the Grammar, and that's the main point of the script I'm wondering about. Variable declarations look like this:

my @string = 'this is a string';
Enter fullscreen mode Exit fullscreen mode

But we also have tokens, that allows yo to use rules...

my @string = 'this is a string';
my token somestuff {@string 'other string as well'}
my rule example {<token>.*}
Enter fullscreen mode Exit fullscreen mode

So as you can see we can kind of manipulate a token to be some kind of object to work with, and rules to be applied on those tokens. Rules can be False or True, so we can check them like:

my token hey {'how''are''you'}
my rule match {<hey>*}

say so 'how are you' ~~ &match; #OUTPUT: TRUE

Enter fullscreen mode Exit fullscreen mode

In this case say so will let us check the value of the rule match. Now let's think of our particular case: We need genes (usually strings) that might be related to malware of malicious executables in general, some virus may share genes, and we would like to know this information from a given binary file. So! My approach:

# configuring the genes and the virus (some virus share genes)

my token gene {'this is a malware gene'}
my rule virusx {<gene>.*}

# reading the sample line by line from a binary file

for '/script/mysample'.IO.lines -> $line {
        # If the line contains the gene, print it
    if $line ~~ &virusx {say "Genes from virus X were found: "; say $line; }

}

Enter fullscreen mode Exit fullscreen mode

This is the simplest example but in the rule virus several genes could be mixed, and you can create as much rules as virus you want to check. Also the regex used for the rules are standard, which is convenient.

A strace benchmark of a bash script launching yara and a bash script launching the raku script with docker revealed that the time difference is so small is not worth mentioning itself, but the methodology could be interesting to explore. In the end Yara is very popular and useful, but this way could be awesome for easy API implementations (Raku is well known for back-end, as I said previously) and more flexible due to the rules being less limited.

Discussion (0)