Evasive Malware Detection mit YARA

Summary

This documentation describes the setup of a malware analysis environment and the methodology for detecting evasive malware using static analysis with YARA. The focus is on identifying byte patterns (hardware instructions) and suspicious strings in order to distinguish evasive malware from legitimate software.

Requirements

• VirtualBox
• YARA
• Windows 10
• 6 evasive malware samples
• 6 additional malware samples
• 6 benign .exe files (Windows system)

Installation

Install REMnux in VirtualBox by downloading and importing the official distribution from [DownloadREMnux] , and also set up a Windows 10 VM for executing and transferring the required .exe files. Ensure both VMs start correctly.

Hardening

Perform the installation steps inside the REMnux and Windows 10 in VirtualBox as part of system hardening for safe, isolated malware analysis.

Shared Clipboard disabled:

No Drag and Drop:

No USB Passthrough:

No Shared Folders:

Take a clean snapshot of both VMs before introducing malware. This allows for a quick revert the start state after infection.

Network

Gateway REMnux Config

Shows a host-only adapter configured for a secure, internet-isolated analysis environment on both machines:

Shows a second NAT/bridged adapter used temporarily for downloading tools and samples, which is disabled before malware analysis on REMNUX (as Gateway):

sudo nano /etc/sysctl.conf

# activate:
sudo sysctl -p

# Routing
sudo iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE

# netplan
sudo nano /etc/netplan/01-netcfg.yaml

sudo netplan apply

# Check 
ip a

Windows Config

Shows a host-only adapter configured for a secure, internet-isolated analysis environment

Change the IP address:

Dataset

Download the required malware samples from MalwareBazaar [MalewareDatabase] and store them inside the REMnux virtual machine in a dedicated analysis folder. Keep the VM isolated from the internet before and during analysis.

Warning: Malware samples are live and dangerous. Handle with extreme caution and ensure the analysis environment is completely isolated from the host and local network.

Evasive Malware

Malware

Benign Software

copy files to REMnux

scp "C:\Windows\System32\<benignSoftware>.exe" remnux@10.0.0.1:/home/remnux/

• calc.exe
• chrome.exe
• vlc.exe
• notepad.exe
• cmd.exe
• taskmgr.exe

YARA

YARA run

Create a YARA rule file inside the REMnux virtual machine and store it in your analysis directory.

evasive_rules.yar

Run YARA against your samples to scan for static indicators of evasive behavior:

yara evasive_rules.yar /path/to/malware/

-s option will display the specific strings and patterns that triggered a match and -r for rekurisve:

yara -r -s evasive_rules.yar /path/to/malware/

YARA Final Rule

The final rule Evasive_Malware_Final checks for VM artifacts, analysis tools, and RDTSC-based timing evasion into a single detection logic to identify suspicious behavior.

The condition uint16(0) == 0x5A4D specifically targets the "MZ" magic bytes at the beginning of the file. This ensures the rule only scans Windows Portable Executable files:

A hex dump of a benign sample (notepad.exe) confirms the presence of the signature 4d 5a:

Used Hardware

CPU: AMD Ryzen 7 5800X RAM: 32 GB DDR4 System Memory GPU: NVIDIA GeForce RTX 3070 Ti

References

• https://remnux.org/
• https://yara.readthedocs.io/en/latest/
• https://github.com/virustotal/yara/releases
• https://bazaar.abuse.ch/ (Sample Source)
• https://learn.microsoft.com/en-us/windows/win32/debug/pe-format