Yara Write-up

Description

Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting! This is a room on TryHackMe.

What is Yara?

• Can identify binary and textual patterns inside a file

Questions

• What is the name of the base-16 numbering system that Yara can detect? hex
• Would the text “Enter your Name” be a string in an application? (Yay/Nay) Yay

Install Yara

Ubuntu:

• Repo: sudo apt install yara
• Source: sudo apt install automake libtool make gcc flex bison libssl-dev libjansson-dev libmagic-dev pkg-config, then Download yara source from GitHub

Introduction to Yara Rules

• Every rule has a name and condition
• Standard extension: .yar

Basic structure

rule examplerule {
        condition: true
}

Execute Rule

yara rule.yar somefile

Expanding on Yara Rules

• Writing Rules Yara Docs

Meta

• Descriptive information by the author

Strings

• Strings are used to search for specific text or hexadecimal in files or programs

strings:
	$hello = "Hello World!"

Conditions

• any of them
• true
• Operators: <=, >=, !=
• Combining keywords: and, not, or

Yara Cheat Sheet

Yara Modules

• Cuckoo-Module: Create rules based on behaviours discovered from Cuckoo Sandbox
• Python PE Module: Create yara rules based on various sections and elements of the Windows PE structure

Other tools and Yara

• List of YARA rules
• Loki: IOC scanner
• THOR: IOC and YARA scanner
• Fenrir: Bash script without dependencies
• YAYA: Tool to manage multiple YARA rule repositories

Using LOKI and its Yara rule set

• Rules are created based on threat intelligence research

Commands:

• -h: Help Menu
• --update: Update rules
• -p <path>: Path to scan

Scanning file1 directory with following command:

python loki.py -p ~/suspicious-files/file1/

Scanning file2 directory with following command:

python loki.py -p ~/suspicious-files/file2/

The actual Yara file:

Finding the web shell name and version inside file 2:

Create Yara rules with yarGen

• Typically done in case of an incident
• yarGen: Generator for Yara rules; removes strings that can be found in Goodware, extracts strings in malware

Commands:

• --update: Update database
• -m <path>: Path to file for what rules should be created for
• --excludegood: force to exclude all goodware strings
• -o <path>: Location and name where rule should be outputted
• yarAnalyzer: Another tool to create rules

Further reading:

• https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/
• https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/
• https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/

Questions

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

yara files2.yar file2/1ndex.php

Did Yara rule flag file 2? (Yay/Nay)

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

Inspect the Yara rule, how many strings were generated?

Valhalla

• Online Yara feed

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group?

After that search on Valhalla for that hash.

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Besides .PHP, what other extension is recorded for this file?

Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)

What JavaScript library is used by file 2?

Search for the library inside the file: