YAMA is a memory-analysis tool from JPCERT/CC that detects hidden malware by scanning the live memory of Windows machines using custom YARA rules, addressing obfuscated and fileless threats. It is easy to deploy across devices and can export results in text or JSON for incident response.
#YAMA #JPCERTCC
#YAMA #JPCERTCC
Keypoints
- Malware that is obfuscated or fileless challenges traditional antivirus detection and often surfaces during incident responses.
- YAMA performs memory scans on a running Windows machine using YARA rules to detect unknown or hidden malware.
- Key features include customizable YARA rules, no full-tool installation required, and exportable results in text or JSON.
- It enables scanning the entire live memory (not just files or individual processes) for better detection of stealthy threats.
- Deployment is streamlined: fork the YAMA repo, add custom YARA rules, and build a scanner via GitHub Actions.
- Usage options include scanning all processes or specific PIDs, and optional EVTX logging with defined event IDs for status and detections.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information β The article references obfuscated malware and fileless attacks as challenges addressed by memory-based YARA scanning. βmalware that antivirus software cannot detect is often found during actual incident responses.β
Indicators of Compromise
- [URL] Repository β https://github.com/JPCERTCC/YAMA β YAMA GitHub repository for the memory analyzer tool.
- [URL] Documentation/video β https://www.youtube.com/embed/c0ip9_dvcYg β YouTube demonstration video for malware detection with YAMA scanner.
- [File name] yama.exe β YAMA binary used to perform memory analysis (scanner tool).
- [Event ID] 10, 11, 20, 40 β EVTX logging event IDs related to YAMA operation (start, stop, no detection, malware detected).