# YARA with Cyberchef
### 1. Introduction
[Cyberchef](https://gchq.github.io/CyberChef/) is a powerful web app for encryption, encoding, compression and data analysis. I've used it allready in a [crypto exercise](https://cas-cyber.gitbook.io/cas-cybersecurity/ctf-and-crypto-exercises/cyberchef-challenge) previously.
In this exercise I'll use cyberchef to check a specific binary against a yara rule.
We need some malware samples. If you haven't download them allredy you can find them here:
```
cd /home/hacker/
git clone https://github.com/fabrimagic72/malware-samples.git
cd /home/hacker/malware-samples
```
### 2. Cyberchef and grandcab.bin
Please open CyberChef in your browser
And add the following malware as `input` from the `malware-samples` folder
* `/home/hacker/malware-samples/Ransomware/Grandcrab/grandcab.bin`
Please search `yara` in the left menu.
Add `yara` to `CyberChef` and use the following rule:
```
rule maldoc_getEIP_method_1 : maldoc
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
$a
}
```
### 3. Cyberchef and $ucylocker.bin
Our next malwaresample is $ucylocker.bin. Cyberchef has a unzip feature, but this isn't working yet. See:
Because of that reason we have to unzip the malware first.\
Password for the zip file is: **infected**
`7z x 86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.zip`
Add the newly created file `/home/hacker/malware-samples/Ransomware/$ucyLocker/86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.bin`
Add the same yara rule as in the previous step
```
rule NETexecutableMicrosoft
{
meta:
author="malware-lu"
strings:
$a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }
condition:
$a0
}
```
