Review the lab references prior to beginning the lab exercises to gain an understanding of Yara rules. In Appendix A, you will gain an understanding of Yara and how to write a rule, and then use those similar steps to complete Appendix B, C, and D. Within Appendix B, you will be provided a Yara rule that has errors. You will learn how to read the error message and how to fix the errors. Appendix C will walk you through finding the HEX offset location of a signature and how to write a Yara rule for the signature you are looking for. In Appendix D, you will make signatures for three files. You will find the offset location of those signatures within those files and write a rule for each of those files. After the lab exercises, you will gain an understanding of how to write Yara rules, and how to spot and correct errors in Yara rules when scanning files to analyze contents of files and identify malware.
Note: You will need to do each of the appendices, and add your screenshots and other information to the lab report, which will be part of the overall project deliverable.
In this lab, you will learn how to write Yara rules. Yara is a tool for analyzing the contents of files. You will be required to use Yara to scan files for indicators of compromise and data extraction.
This tool is most often used for reducing the timelines of reverse engineering malware and helps with classifying malware. The following is a list of known tools that use Yara:
Yara Rules Basics:
US Cert Yara Rules
Other Yara Rules
For this Appendix A, you will use the Windows environment. Review instructions in the UMUC Digital Labs document to connect to the WINATK01 virtual machine, if needed.
Log in to Windows system with the following information:
You are now ready to learn how to build a basic yara rule to examine contents in a text file.
Yara works by developing a rule to be used for scanning files, directories, drives, or even memory. Those rules are broken down into a few sections, which make up the overall rule. Yara is case-sensitive and in these exercises, you must be careful of entering lowercase or uppercase when necessary.
The basic format of a Yara rule is provided as the below image.
Breakdown of a Yara rule:
Within the first part of the exercise, you will learn how to search a file for text.
To perform the exercise, you are going to open Notepad. On the WINATK01 desktop, right-click and then select New, and then click on Text Document. You can also open the Start button of WINATK01 VM and type in Notepad in the search box, then click open Notepad when it shows up. Please check the below image to make sure you open the correct Start button within WINATK01 VM, not from workspace.
At your new text document, type in the text “business confidential” in lowercase.
After typed in the text, save the file as bc.txt and make sure the file is saved on the Desktop.
After the text file is saved to Desktop, please verify bc.txt is located on the Desktop.
Next you are going to open a NEW text document and type in the yara rule as in below image. Please take note this is case-sensitive.
After the rule is typed in, you need to save the file as bc_yara.yar. Go to File > Save As… and select Desktop to choose your destination to save the file. After Desktop location is selected, select the drop down menu Save as type: change to All Files (*.*). Type in your File name: as bc_yara.yar and Save. Make sure you follow the steps according to the screenshot below.
After the file is saved, please verify bc_yara.yar is located on the Desktop. You should have both bc_yara.yar and bc.txt saved on the Desktop.
You can now start perform the exercise in command line interface. Go to Lab Resources > Applications folder and open cmd.exe. Your default prompt should show C:\Users\Public\Desktop\Lab Resources\Applications > as following image.
If the default prompt is correct, please type in the following command and hit Enter. Please take note the command is supposed to execute in one line.
You will see the result as below image. You can break down the result into two parts. The first part is the rule name and the second part is the file name, where your text is included and its location. The following screenshot shows your rule name business_confidential indicates the file that contains the text business confidential is within bc.txt.
In the next example, you should see using incorrect case does not fire any results. Open the bc.txt and change the text from “business confidential” to “Business Confidential” and Save.
Now run the same command again to see if it there is any alerts created.
As you can see in the image above, the command fires no alerts.
Now double click open bc_yara.yar. If you are asked the following message, please choose “Select a program from a list of installed programs” and click OK. In the next message, you are asked to choose the program to open with, select Notepad and click OK. You will get bc_yara.yar open with Notepad.
When bc_yara.yar is opened in Notepad, replace the rule name business_confidential with business_confidential_new. At the end of $text string, add “nocase”. Make sure you put spacing before “nocase”. The rule should look like the below image.
After you have added nocase, go to File > Save As… and select Desktop to choose your destination to save the file. After Desktop location is selected, you need to make sure the drop down menu Save as type: change to All Files (*.*). Now type in your File name: as bc_yara2.yar and Save. Make sure you follow the steps according to the screenshot below.
Now go back to the command prompt you opened, and enter the following new command in one line.
Since nocase is added, your new rule business_confidential_new fires the result regardless of the text is in upper or lower case.
Now, you are going to open the bc.txt and change some of the characters to being upper or lower case. Below image shows one example of the change.
After changes are made, save bc.txt as as bc2.txt. Now that you have saved a new text document, go back to the command prompt and run the following command in one line.
You should see an alert as the below image. The result shows your new rule proves no case sensitivity.
You will now make rules based on modified US-CERT notifications found within the lab. To perform this
Now you should have YaraFiles.zip downloaded and extracted to the Desktop. The files you are going to perform for this exercise are located within YaraFiles > yara_files folder. Please verify you have YaraFiles folder on the Desktop and inside the folder there is yara_files folder. Within yara_files folder you should see a yar file called, lab.yar and other five executable files. Each of these exe files contains different signatures. Please verify you have all the necessary folders and files as in below image.
Open lab.yar with Notepad and you will see the rule as in below image. lab.yar rule file contains one yara rule that has typo errors and syntax missing issues.
You are going to run a command to find the issues at lab.yar. Go Lab Resources > Applications folder and open cmd.exe. Type in the following command in one line and hit Enter key.
As you execute the command line, your command will fire results showing syntax error, expecting conditions and unexpected identifier as in the below image. This is due to typo errors and syntax missing in lab.yar.
The error in the above image provides you the line number where your issue is. Go and check on that line at your lab.yar to fix the issues. After changes has made, make sure you save lab.yar and run the command again. This time you will see another issue in different line.
You will fix the rule again and save the file to run the command repeatedly. The command will fire errors until you have fixed all the typo errors and syntax issues in lab.yar. You will repeat the process for a few times or more. When all of the errors are fixed from the lab.yar, you will see the alert as in below image. Your output will point out the exe file name in yara_files folder which includes the signature.
In this section, you will load a file with HEX editing software (hexeditor) on Kali Linux. Using hexeditor, you will also find the location of the HEX value on each exe file, and find the offset location of the signature provided. You will then write the rule based on that information. Before starting this section, watch the HEX editor video found in the reference section.
Within this section, you will perform using two systems Linux machine (NIXATK01) and Windows (WINATK01) machine.
First log in to Kali Linux (NIXATK01) with the following information:
Type in cd Downloads and hit Enter key
Type in unzip YaraFiles.zip and hit Enter key
YaraFiles.zip is extracted with lab.yar and five executable files. You are supposed to see the below result.
At the next line, you are going to open hexeditor program by typing the following command at the command prompt.
sudo hexeditor and hit Enter key
When you are asked for password, please type in Cyb3rl@b and hit Enter. This will open the hex editor program. The hex editor looks like the following image with the blue background screen. From here, you are only able to use your the arrow keys to select options.
Now use your down arrow key to select yara_files and hit Enter key.
Once you hit Enter, you will see the contents within yara_files folder. You are supposed to see the following image. You need to use your down arrow key again to select wrar540.exe and hit Enter key.
When wrar540.exe opens and you should see the following image.
Now you are going to open a search function to perform search for hex signature. If you are on Windows, type Shift and W together, or if you are on a Mac, type Control and W key to open the search window. The following image shows how the search window looks like.
When the search window opens, use the down arrow key and select “search for HEX bytes” and hit Enter.
A search box will show up which looks like the following image.
At the search box, type in the following sample hex signature.
Take note the search box size may be shorter but no matter how long the signature is, you need to type in the correct hex signature until it is completed, then hit Enter.
You will see the following screen as your result. Here you are supposed to look for the offset value at the top of the screen. This following image shows the offset location of the hex string.
Take note the offset value 0x5A4D. You are going to use this offset value to build yara rule at WINATK01 VM. From this point, you need to go back to the WINATK01 machine. Open Notepad and create a new text document within WINATK01 machine. Type in the following yara rule.
The rule name is given as Malware_used_by_cyber_threat_actor. The hex signature is added within the curly brackets of $STR1. At the rule condition, the offset location is defined as uint16(0) = = 0x5A4D. Take note the hex signature and the offset values are the same ones you have used and resulted at hexeditor in NIXATK01. After typed in the, go to File > Save As… and select Desktop as your destination. Change Save as type: to All Files (*.*) and File name: as bc_yara3.yar and Save.
Now, you need to test if the rule fires. Go to Lab Resources > Applications folder and open cmd.exe. Type the following command in one line and hit Enter to see if the rule still fires.
This command checks if there is any exe files within yara_files folder which includes $STR1 hex signature and also meets the condition of offset location provided. This command should fire result as below image.
This following image shows how the result looks like. The result shows the rule name Malware_used_by_cyber_threat_actor points out the signature is found at wrar540.exe within yara_files folder.
Using the incorrect offset location will not fire any results. Now, you will test to make sure the rule is firing correctly. Modify the offset location from 0x5A4D to 0x6A4D, and then save the rule. After you have saved the rule, run the following command in one line.
You will see that the rule does not fire. Change the offset value back to 0x5A4D and then resave the rule. In the following Appendix D, you are going to use this methods to create yara rule for different signatures.
Based on how you have developed the rules above, you need to repeat Appendix C to create yara rule for the following three hex signatures.
To find the offset location for each of the signature, you need to use NIXATK01 environment. Take note that there are five executable files in yara_files folder and you are supposed to find each signature in all exe files. If a signature is not found in one file, you can try in other exe files.
Once you have found offset values for all signatures, go back to WINATK01 make use of the offset values to start develop the rules. You can name the rules whatever you like. Depending on the yar file you have named, you need to modify and run the command accordingly. Your command should fire the result that shows each signature associated with their exe files.
Use the following signatures to build Yara rule.
C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73
8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF
5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D
Take a screenshot when your rule files alerts, and also take screenshot of the rule you have used.