CREATION OF SIMPLE YARA RULE

Good Afternoon all,

Today we will be looking forward to set up a simple yara rule using the details we found in Malware analysis like strings, PE header details, Signature details, and File type Details.

What is YARA rules

This rules are a set of patterns and signatures used in the YARA tool to identify and detect specific patterns or characteristics within files or data. YARA, which stands for “Yet Another Recursive Acronym,” is a powerful open-source tool primarily used for malware research, threat hunting, and digital forensics. It allows analysts and security researchers to create custom rules that describe certain patterns found in files, such as strings, byte sequences, or regular expressions.

These rules are written in a YARA-specific language and can be used to scan files, memory dumps, or any data stream for matches with the defined patterns. When a match is found, it indicates the presence of a specific file type, malware, or any other predefined pattern of interest. These rules are valuable in the cybersecurity domain as they aid in identifying and categorizing potentially malicious files, which can help organizations protect their systems from various threats.

Ok Let Dive in,

Fire up Your Malware Analysis FlareVM operating system, then Open a Malware sample in pestudio Application. we can found lot of information in Strings section so lets move there and we end up with 3 URLs where the Malware connects back.

We will be adding those URLs in Yara Rules as signature identifiers to analyse and find it in future occurrences.

 

Screenshot 49Three URLs have been highlighteds

Next, we need to open a text file using Notepad++, You can use your own text editor as you want, and create a simple rule as shown below, as i Have already
explained to you what we are doing with this code in my previous Blog you can learn it here

We are adding three Variables($a,$b,$c) to use it for three URLs those which we want to use as signatures. We can add our File type also in here but instead of Double quotes, we need to use curly Braces for mentioning the file type of Portable Executable.
 
Save this rule as Creds.Yara, Here .This extension is necessary to make it a yara rule condition file.

Ok then Open Your command prompt then navigate to the the location where you have saved your creds. yara file then type this command as below

yara32 -s -r creds.Yara “Path of Malware sample” here -s represents print the strings of signatures and -r represents recursive scan. You can look for Help by using the yara32 –help command

In the above picture, you can see that it is displaying the strings which are available in the specified malware sample along with the file type also, but you may think it is just showing what we have typed in that folder, so here I have just edited the rule a bit, and it will show only 2 URLs since I have replaced the third one with some garbage texts.Screenshot 56

So this is how Anti-Malware works based on signatures and rules, we can set up our own rules with what we have found and analyzed with the malware.

Today we learned how to set up a Simple rule with YARA, next time we will be trying to work with bigger yara rule with Malware sample.

That’s it for today guys, see you in the next blog

Bye Bye!

Leave A Comment