IR 306: Yara (10 pts + 30 pts extra)

What You Need for This Project

Purpose

To practice using Yara, "The pattern matching swiss knife for malware researchers."

Installing Yara

On your Windows machine, in a Web browser, go to:

http://virustotal.github.io/yara/

On the right side, click the "Download Latest Release" button.

On the next page, at the bottom, click the win64 version, as shown below.

Save the file. Right-click the downloaded file, click "Extract All...", Extract.

A folder with two files appears, as shown below.

Drag both files to the left pane and drop them on Downloads.

In the left pane, click Downloads.

The files appear, as shown below.

Creating a Yara Rule

On your Windows desktop, click Start, type CMD, and click "Command Prompt".

In the Command Prompt window, execute these commands:

cd Downloads
notepad test.yar
A Notepad box pops up, asking "Do you want to create a new file?". Click Yes.

In Notepad, enter this text, as shown below.

rule ExampleRule
{
    strings:
        $my_text_string = "EVIL"

    condition:
        $my_text_string
}
The rule is shown below. This rule looks for the string "EVIL" in a file.

In Notepad, click File, Save.

Close the Notepad window.

Creating Test Files

In the Administrator Command Prompt window, execute these commands.
mkdir test
echo "GOOD" > test\goodfile.txt
echo "EVIL" > test\badfile.txt
The files are created, as shown below.

Running Yara on the Test Files

In the Administrator Command Prompt window, execute this command.
yara64 test.yar test
Yara scans the files in the "test" folder and finds one file matching the rule, as shown below.

Getting Minesweeper

We'll use this file just as an example of a file to analyze. It's a modified version of a Windows game.

On your Windows machine, in a Web browser, go to

https://samsclass.info/126/proj/minesam.exe.zip

Save the minesam.exe.zip file in your Downloads folder.

Open File Explorer and navigate to your Downloads folder. Right-click the minesam.exe.zip file and click "Extract All", Extract.

A folder appears containing a minesam.exe file, as shown below.

Getting a Yara Rule

On your Windows machine, in Firefox, go to

https://raw.githubusercontent.com/Yara-Rules/rules/master/Packers/packer_compiler_signatures.yar

A page containing a set of Yara rules to detect executable files and packers opens, as shown below.

Right-click inside the Web page and click "Save Page As.... Save the page in your Downloads folder with its default name, which is packer_compiler_signatures.yar


Flag IR 306.1: Scanning Minesam (10 pts)

In the Command Prompt window, execute these commands.
move minesam.exe\minesam.exe test
yara64 packer_compiler_signatures.yar test
Yara finds various signatures in the files. The flag is covered by a green box in the image below.


Flag IR 306.2: Find More Evil (10 pts extra)

Download this file:

ran.zip

Unzip it. It contains 100 files with two letter names, such as AA.

Scan those files with Yara and find the files containing "EVIL".

If you are a CCSF student, capture a screen image like the one shown below, showing the two filennames.

If you are playing a CTF, concatenate the two filenames, like this AABB, to form the flag.


Flag IR 306.3: Find Fours (10 pts extra)

Use the same group of 100 files.

Scan those files with Yara and find the files containing three bytes of 0x04 in a row.

You may find this document helpful: " Writing YARA rules".

If you are a CCSF student, capture a screen image like the one shown below, showing the two filennames.

If you are playing a CTF, concatenate the two filenames, like this AABB, to form the flag.


Flag IR 306.4: Find Fours (10 pts extra)

Use the same group of 100 files.

Scan those files with Yara and find the files containing this pattern:

If you are a CCSF student, capture a screen image like the one shown below, showing the two filennames.

If you are playing a CTF, concatenate the two filenames, like this AABB, to form the flag.


References

yara Documentation Release 3.11.0
How to install YARA and write basic YARA rules to identify malware
Writing YARA rules

Posted 10-1-18
Visual C++ added 10-8-18
Ported to new scoring engine, and Visual C++ removed, 10-17-19
Flag numbers fixed 11-8-19