YARA Install
Last updated
Last updated
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic
In this exercise you'll install yara using the HL-LiveCD.
You can follow several online installation guides, or you can just use the Hacking-Lab installer script.
By installing the hl-volatility-kali
on your LiveCD, the following components will get installed
volatility 2 (python2)
volatility 3 (python3)
yara
yara rules
some additional volatility plugins
Please follow the movie below or run the following command in your terminal:
apt-get install hl-volatility-kali
/opt/applic
directory before yara installation:
/opt/applic
directory after yara installation:
If we have a look at the following directory /opt/applic/yara-rules/malware
we can see a lot of yar rules which scan for a specific malware or malware family.
You may want to create a single yara file from /opt/applic/yara-rules/malware
sub-folders.
To do so, please follow the instructions below:
cd /home/hacker/Downloads
make_yara_rules.py /opt/applic/yara-rules/malware
This will generate the malware_rules.yar in your local directory.
First, let's start with a very simple local filesystem scan.
Please download some malware samples to your HL LiveCD
cd /home/hacker/
git clone https://github.com/fabrimagic72/malware-samples.git
cd /home/hacker/malware-samples
From a previous exercise I did allready download some malware samples, so I'll use another path for scanning
yara -r /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples
Search for Packers in the malware-samples folder
yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples
You won't get many output except of the warnings because the sample files are mostly zipped.
You can hide the warnings with the -w
flag
Using the following command will unzip all malware samples and deletes the zip archive. The password of the zip or 7z is infected
cd /home/hacker/malware-samples
Instead of unziping all the malware examples I'll scann against a file which I know that is packed!
yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/Reversing
sample2.exe is packed with upx3