# YARA Install ### 1. Introduction > YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic In this exercise you'll install yara using the HL-LiveCD. {% embed url="" %} ### 2. Yara install You can follow several online installation guides, or you can just use the Hacking-Lab installer script. By installing the `hl-volatility-kali` on your LiveCD, the following components will get installed * volatility 2 (python2) * volatility 3 (python3) * yara * yara rules * some additional volatility plugins Please follow the movie below or run the following command in your terminal: `apt-get install hl-volatility-kali` `/opt/applic` directory before yara installation: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fsij92pAvKBcsvSV6FXBY%2Fyara_install_01.png?alt=media\&token=0fd9476a-703c-45b7-9fc7-2d85876c93d0) `/opt/applic` directory after yara installation: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F0zL52cXhLpLD9fJybF6g%2Fyara_install_02.png?alt=media\&token=3122cdec-44a1-46b0-9a17-2434b6b55178) ### 3. Summarize Yara rules If we have a look at the following directory `/opt/applic/yara-rules/malware` we can see a lot of yar rules which scan for a specific malware or malware family. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FtGMDSzkxVYzMdqkH2ixc%2Fyar_rules01.png?alt=media\&token=78bc36d9-d5db-463f-84d7-bf8b8befb992) You may want to create a **single** yara file from `/opt/applic/yara-rules/malware` sub-folders. To do so, please follow the instructions below: cd `/home/hacker/Downloads`\ `make_yara_rules.py /opt/applic/yara-rules/malware` This will generate the malware\_rules.yar in your local directory. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F0uxfFqtsbTEcXs5Su29v%2Fyar_rules02.png?alt=media\&token=dabdd5d2-36fc-45d0-9457-9c18b7af5bc5) ### 4. yara cli First, let's start with a very simple local filesystem scan. Please download some malware samples to your HL LiveCD `cd /home/hacker/`\ `git clone https://github.com/fabrimagic72/malware-samples.git`\ `cd /home/hacker/malware-samples` From a previous exercise I did allready download some malware samples, so I'll use another path for scanning `yara -r /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fq8geDcSGn3RABp3wMhKT%2Fyar_rules03.png?alt=media\&token=7c2537fc-27a9-4266-9b44-97de6fb200ad) #### Malware are often packed! Search for Packers in the malware-samples folder `yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples`
You won't get many output except of the warnings because the sample files are mostly zipped. You can hide the warnings with the `-w` flag #### Extract zip or 7zip files from malware samples Using the following command will unzip all malware samples and deletes the zip archive. The password of the zip or 7z is `infected` cd /home/hacker/malware-samples ``` while [ "`find . -type f -name '*.7z' | wc -l`" -gt 0 ]; do find -type f -name "*.7z" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done while [ "`find . -type f -name '*.zip' | wc -l`" -gt 0 ]; do find -type f -name "*.zip" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done ``` Instead of unziping all the malware examples I'll scann against a file which I know that is packed! `yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/Reversing` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FbeYujUuKllG43I3gCEQl%2Fyar_rules04.png?alt=media\&token=87e82b6f-4ac1-4d94-a264-bb0471b69449) **sample2.exe** is packed with upx3 :package: