📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Yara install
  • 3. Summarize Yara rules
  • 4. yara cli

Was this helpful?

  1. Malware Analysis
  2. YARA

YARA Install

PreviousYARANextyarGen

Last updated 3 years ago

Was this helpful?

1. Introduction

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic

In this exercise you'll install yara using the HL-LiveCD.

2. Yara install

You can follow several online installation guides, or you can just use the Hacking-Lab installer script.

By installing the hl-volatility-kali on your LiveCD, the following components will get installed

  • volatility 2 (python2)

  • volatility 3 (python3)

  • yara

  • yara rules

  • some additional volatility plugins

Please follow the movie below or run the following command in your terminal:

apt-get install hl-volatility-kali

/opt/applic directory before yara installation:

/opt/applic directory after yara installation:

3. Summarize Yara rules

If we have a look at the following directory /opt/applic/yara-rules/malware we can see a lot of yar rules which scan for a specific malware or malware family.

You may want to create a single yara file from /opt/applic/yara-rules/malware sub-folders.

To do so, please follow the instructions below:

cd /home/hacker/Downloads make_yara_rules.py /opt/applic/yara-rules/malware

This will generate the malware_rules.yar in your local directory.

4. yara cli

First, let's start with a very simple local filesystem scan.

Please download some malware samples to your HL LiveCD

cd /home/hacker/ git clone https://github.com/fabrimagic72/malware-samples.git cd /home/hacker/malware-samples

From a previous exercise I did allready download some malware samples, so I'll use another path for scanning

yara -r /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples

Malware are often packed!

Search for Packers in the malware-samples folder

yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples

You won't get many output except of the warnings because the sample files are mostly zipped.

You can hide the warnings with the -w flag

Extract zip or 7zip files from malware samples

Using the following command will unzip all malware samples and deletes the zip archive. The password of the zip or 7z is infected

cd /home/hacker/malware-samples

while [ "`find . -type f -name '*.7z' | wc -l`" -gt 0 ]; do find -type f -name "*.7z" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done
while [ "`find . -type f -name '*.zip' | wc -l`" -gt 0 ]; do find -type f -name "*.zip" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done

Instead of unziping all the malware examples I'll scann against a file which I know that is packed!

yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/Reversing

sample2.exe is packed with upx3

📦
Hacking-Lab LiveCD
Logo