YARA Install

1. Introduction

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic

In this exercise you'll install yara using the HL-LiveCD.

Hacking-Lab LiveCD

2. Yara install

You can follow several online installation guides, or you can just use the Hacking-Lab installer script.

By installing the hl-volatility-kali on your LiveCD, the following components will get installed

• volatility 2 (python2)

• volatility 3 (python3)

• yara

• yara rules

• some additional volatility plugins

Please follow the movie below or run the following command in your terminal:

apt-get install hl-volatility-kali

/opt/applic directory before yara installation:

/opt/applic directory after yara installation:

3. Summarize Yara rules

If we have a look at the following directory /opt/applic/yara-rules/malware we can see a lot of yar rules which scan for a specific malware or malware family.

You may want to create a single yara file from /opt/applic/yara-rules/malware sub-folders.

To do so, please follow the instructions below:

cd /home/hacker/Downloads make_yara_rules.py /opt/applic/yara-rules/malware

This will generate the malware_rules.yar in your local directory.

4. yara cli

First, let's start with a very simple local filesystem scan.

Please download some malware samples to your HL LiveCD

cd /home/hacker/ git clone https://github.com/fabrimagic72/malware-samples.git cd /home/hacker/malware-samples

From a previous exercise I did allready download some malware samples, so I'll use another path for scanning

yara -r /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples

Malware are often packed!

Search for Packers in the malware-samples folder

yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples

You won't get many output except of the warnings because the sample files are mostly zipped.

You can hide the warnings with the -w flag

Extract zip or 7zip files from malware samples

Using the following command will unzip all malware samples and deletes the zip archive. The password of the zip or 7z is infected

cd /home/hacker/malware-samples

while [ "`find . -type f -name '*.7z' | wc -l`" -gt 0 ]; do find -type f -name "*.7z" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done
while [ "`find . -type f -name '*.zip' | wc -l`" -gt 0 ]; do find -type f -name "*.zip" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done

Instead of unziping all the malware examples I'll scann against a file which I know that is packed!

yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/Reversing

sample2.exe is packed with upx3 📦