# YARA Install

### 1. Introduction

> YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic

In this exercise you'll install yara using the HL-LiveCD.

{% embed url="<https://livecd.hacking-lab.com>" %}

### 2. Yara install

You can follow several online installation guides, or you can just use the Hacking-Lab installer script.

By installing the `hl-volatility-kali` on your LiveCD, the following components will get installed

* volatility 2 (python2)
* volatility 3 (python3)
* yara
* yara rules
* some additional volatility plugins

Please follow the movie below or run the following command in your terminal:

`apt-get install hl-volatility-kali`

`/opt/applic` directory before yara installation:

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fsij92pAvKBcsvSV6FXBY%2Fyara_install_01.png?alt=media\&token=0fd9476a-703c-45b7-9fc7-2d85876c93d0)

`/opt/applic` directory after yara installation:

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F0zL52cXhLpLD9fJybF6g%2Fyara_install_02.png?alt=media\&token=3122cdec-44a1-46b0-9a17-2434b6b55178)

### 3. Summarize Yara rules

If we have a look at the following directory `/opt/applic/yara-rules/malware` we can see a lot of yar rules which scan for a specific malware or malware family.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FtGMDSzkxVYzMdqkH2ixc%2Fyar_rules01.png?alt=media\&token=78bc36d9-d5db-463f-84d7-bf8b8befb992)

You may want to create a **single** yara file from `/opt/applic/yara-rules/malware` sub-folders.

To do so, please follow the instructions below:

cd `/home/hacker/Downloads`\
`make_yara_rules.py /opt/applic/yara-rules/malware`

This will generate the malware\_rules.yar in your local directory.

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F0uxfFqtsbTEcXs5Su29v%2Fyar_rules02.png?alt=media\&token=dabdd5d2-36fc-45d0-9457-9c18b7af5bc5)

### 4. yara cli

First, let's start with a very simple local filesystem scan.

Please download some malware samples to your HL LiveCD

`cd /home/hacker/`\
`git clone https://github.com/fabrimagic72/malware-samples.git`\
`cd /home/hacker/malware-samples`

From a previous exercise I did allready download some malware samples, so I'll use another path for scanning

`yara -r /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples`

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fq8geDcSGn3RABp3wMhKT%2Fyar_rules03.png?alt=media\&token=7c2537fc-27a9-4266-9b44-97de6fb200ad)

#### Malware are often packed!

Search for Packers in the malware-samples folder

`yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/misp files/malware-samples`<br>

You won't get many output except of the warnings because the sample files are mostly zipped.

You can hide the warnings with the `-w` flag

#### Extract zip or 7zip files from malware samples

Using the following command will unzip all malware samples and deletes the zip archive. The password of the zip or 7z is `infected`

cd /home/hacker/malware-samples

```
while [ "`find . -type f -name '*.7z' | wc -l`" -gt 0 ]; do find -type f -name "*.7z" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done
while [ "`find . -type f -name '*.zip' | wc -l`" -gt 0 ]; do find -type f -name "*.zip" -exec 7za x -pinfected -- '{}' \; -exec rm -- '{}' \;; done
```

Instead of unziping all the malware examples I'll scann against a file which I know that is packed!

`yara -r -t Packer /opt/applic/yara-rules/index.yar /home/hacker/Reversing`

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FbeYujUuKllG43I3gCEQl%2Fyar_rules04.png?alt=media\&token=87e82b6f-4ac1-4d94-a264-bb0471b69449)

**sample2.exe** is packed with upx3 :package:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/malware-analysis/yara/yara-install.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.