Cuckoo module

The Cuckoo module enables you to create YARA rules based on behavioral information generated by Cuckoo sandbox. While scanning a PE file with YARA, you can pass additional information about its behavior to the cuckoo module and create rules based not only on what it contains, but also on what it does.

Important

This module is not built into YARA by default, to learn how to include it refer to Compiling and installing YARA. Good news for Windows users: this module is already included in the official Windows binaries.

Suppose that you're interested in executable files sending a HTTP request to http://someone.doingevil.com. In previous versions of YARA you had to settle with:

rule evil_doer
{
    strings:
        $evil_domain = "http://someone.doingevil.com"

    condition:
        $evil_domain
}

The problem with this rule is that the domain name could be contained in the file for perfectly valid reasons not related with sending HTTP requests to http://someone.doingevil.com. Furthermore, the malicious executable could contain the domain name ciphered or obfuscated, in which case your rule would be completely useless.

But now with the cuckoo module you can take the behavior report generated for the executable file by your Cuckoo sandbox, pass it alongside the executable file to YARA, and write a rule like this:

import "cuckoo"

rule evil_doer
{
    condition:
        cuckoo.network.http_request(/http:\/\/someone\.doingevil\.com/)
}

Of course you can mix your behavior-related conditions with good old string-based conditions:

import "cuckoo"

rule evil_doer
{
    strings:
        $some_string = { 01 02 03 04 05 06 }

    condition:
        $some_string and
        cuckoo.network.http_request(/http:\/\/someone\.doingevil\.com/)
}

But how do we pass the behavior information to the cuckoo module? Well, in the case of the command-line tool you must use the -x option in this way:

$yara -x cuckoo=behavior_report_file rules_file pe_file

behavior_report_file is the path to a file containing the behavior file generated by the Cuckoo sandbox in JSON format.

If you are using yara-python then you must pass the behavior report in the modules_data argument for the match method:

import yara
rules = yara.compile('./rules_file')
report_file = open('./behavior_report_file')
report_data = report_file.read()
rules.match(pe_file, modules_data={'cuckoo': bytes(report_data)})

Reference

network
http_request(regexp)

Function returning true if the program sent a HTTP request to a URL matching the provided regular expression.

Example: cuckoo.network.http_request(/evil\.com/)

http_get(regexp)

Similar to http_request(), but only takes into account GET requests.

http_post(regexp)

Similar to http_request(), but only takes into account POST requests.

dns_lookup(regexp)

Function returning true if the program sent a domain name resolution request for a domain matching the provided regular expression.

Example: cuckoo.network.dns_lookup(/evil\.com/)

registry
key_access(regexp)

Function returning true if the program accessed a registry entry matching the provided regular expression.

Example: cuckoo.registry.key_access(/\\Software\\Microsoft\\Windows\\CurrentVersion\\Run/)

filesystem
file_access(regexp)

Function returning true if the program accessed a file matching the provided regular expression.

Example: cuckoo.filesystem.file_access(/autoexec\.bat/)

sync
mutex(regexp)

Function returning true if the program opens or creates a mutex matching the provided regular expression.

Example: cuckoo.sync.mutex(/EvilMutexName/)