When launching a YARA Lightning Hunt up to four different sample repositories can be selected to scan; Submissions, Labeled Artifacts, Unlabeled Artifacts, and Goodware.
Depending on the purpose of the YARA hunt some repositories may be preferable over others. By default all repositories are included in the hunt except for Goodware.
Submissions
The Submissions repository contains samples that initiated an analysis. The majority of these samples are packed PE files, both 32 and 64 bit.
This repository does not contain submissions that have been positively identified as unpacked malware. These are moved to the Labeled Artifacts repository.
This repository represents files as they appear on-disk, in the wild and is a good target for YARA rules used to hunt packed samples, or samples that might be observed in early stages of a malware delivery.
Labeled Artifacts
The Labeled Artifacts repository only contains PE files (both 32 and 64 bit) that have been positively identified as malware. This incudes both packed (submissions), and unpacked (in-memory) samples. Malware samples that have not been positively identified by UnpacMe are not present in this repository.
This repository is a good target for testing YARA rules used to identify malware families, specifically unpacked malware.
Unlabeled Artifacts
The Unlabeled Artifacts repository contains PE files (both 32 and 64 bit) that have been extracted from a parent file but have not been positively identified as malware. This includes both unknown malware, and other files that may have been packed for various reasons.
This repository is a good target for hunting and testing YARA rules used to identify malware in-memory.
Goodware
The Goodware repository contains PE files that have been verified as benign by UnpacMe. Heuristics are NOT used to categorize Goodware. Instead, samples are verified by tracking the hash of the file to a benign source. For example, files from the Windows operating system.
This repository can be used to test new YARA rules and ensure that they do not result in false positives.
Repository Selection
| Yara Rule Purpose | Repositories |
|---|---|
| Identify malware on disk or in network traffic. | ✅ Submissions ✅ Labeled Artifacts ✅ Goodware (Optional) |
| Identify malware in memory. | ✅ Labeled Artifacts ✅ Unlabeled Artifacts ✅ Goodware (Optional) |
| Hunt for related malware or malware characteristics. | ✅ Submissions ✅ Labeled Artifacts ✅ Unlabeled Artifacts |