Good Afternoon all,
Today we will be looking forward to set up a simple yara rule using the details we found in Malware analysis like strings, PE header details, Signature details, and File type Details.
Ok Let Dive in,
Fire up Your Malware Analysis FlareVM operating system, then Open a Malware sample in pestudio Application. we can found lot of information in Strings section so lets move there and we end up with 3 URLs where the Malware connects back.
We will be adding those URLs in Yara Rules as signature identifiers to analyse and find it in future occurrences.
Next we need to open a text file using Notepad++, You can use your own text editor as you want, and create a simple rule as shown below, as i Have already explained you what we are doing this with this code in my previous Blog you can learn it here
We are adding three Variables($a,$b,$c) to use it for three URLs those which we want to use it as signatures. We can add our File type also in here but instead of Double quotes we need to use curly Braces for mentioning the file type of Portable Executable.
Save this rule as Creds.yara, Here .yara extension is necessary to make it as yara rule condition file.
Ok then Open Your command prompt then navigate to the the location where you have saved your creds.yara file then type this command as below
yara32 -s -r creds.yara “Path of Malware sample” here -s represents print the strings of signatures and -r represents recursive scan. You can look for Help by using yara32 –help command
In the above picture you can see that it is displaying the strings which is available in the specified malware sample along with file type also, but you may think it is just showing what we have typed in that folder, so here i have just edited the rule a bit, and it will show only 2 URLs since i have replaced the third one with some garbage texts.
So this is how Anti-Malware works based on signatures and rules, we can set up our own rules with what we have found and analysed with the malware.
Today we learned how to setup a Simple rule with YARA, next time we will be trying to work with bigger Malware sample.
Thats it for today guys, see you in next blog