YAMA

Yet Another Memory Analyzer for malware detection

Concept

YAMA is a system for generating scanner that can inspect specific malware during incident response. The scanner generated by YAMA is designed to explore the memory of Windows OS and detect malware. With the increasing prevalence of fileless malware that deploys only in memory, YAMA aims to facilitate quick response in incident handling by detecting such malware.

Features

• Generate scanner that operates as a single binary
• Detects malware using YARA rules and memory information
• Creates malware detection binaries tailored for each user's IR needs by writing custom YARA rules
• Outputs detection results in text/JSON format

How the scanner works

YAMA scanner operates as a Windows UserMode application, analyzing the memory spaces of processes running in user mode, scanning memory spaces with suspicious attributes using YARA, and identifying malware.

First, YAMA analyzes each process and extracts the following information:

• Process address space information
• Process PEB (Process Environment Block) structure
• Process TEB (Thread Environment Block) structure
• Process stack region
• Process heap region
• Process thread information
• File mapping information for each virtual address space
• Signature information of the mapped files

Next, YAMA determines the memory spaces to be inspected based on the analyzed information. This is done to select only necessary memory spaces and avoid performance impacts from searching the entire memory space.

Finally, YAMA inspects the targeted memory spaces using YARA rules embedded in the binary's resource section.

Use case

By combining YARA rules available on platforms like GitHub, it is possible to create a memory scanner that can investigate traces of specific targeted attack campaigns.

For example, building a YAMA scanner using the APT10 rule from JPCERTCC/jpcert-yara would create a tool suitable for threat hunting APT10 malware.

JPCERTCC/jpcert-yara offers numerous YARA rules compatible with various APT campaigns such as APT10, APT29, BlackTech, and Lazarus, as well as rules for different types of malware. It is highly recommended for reference.

How to build your custom YAMA scanner

Refer to the Wiki.

Dependencies

This project relies on the following open-source software to function properly:

• VirusTotal/yara - GitHub
• gabime/spdlog - GitHub
• nlohmann/json - GitHub
• p-ranav/argparse - GitHub

Acknowledgements and Inspirations

We'd like to thank these GitHub repositories that inspired and influenced our project:

• volatilityfoundation/volatility3 - GitHub
• forrest-orr/moneta - GitHub