Yara

Task 1 Introduction

Task 2 What is Yara?

What is the name of the base-16 numbering system that Yara can detect?

From the hint of hex we can guess its hexadecimal

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Any text is considered a string so yay

Task 3 Deploy

Task 4 Introduction to Yara Rules

Task 5 Expanding on Yara Rules

Task 6 Yara Modules

Task 7 Other tools and Yara

Task 8 Using LOKI and its Yara rule set

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

First we need to cd to the /suspicious-files/file1. Next we need to run Loki by using $ python ../../tools/Loki/loki.py -p .” If you notice the . at the end which is important to get the ind3x.php file to scan. The . means scan the present directory.

What Yara rule did it match on?

By reading the output we can see the yara rule matched was for webshell_metaslsoft.

What does Loki classify this file as?

In the description it says that it’s a webshell.

Based on the output, what string within the Yara rule did it match on?

We can it matched on the string Str1

What is the name and version of this hack tool?

In the output we can see b374k 2.2 is the version and tool used

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

If we go to the signature base and look around we can see that there is 1 rule with the term webshell in it.

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

If we scan it it comes back as clean meaning benign

Inspect file 2. What is the name and version of this web shell?

If we look into 1ndex.php we can see at the top it say b374k 3.2.3

Task 9 Creating Yara rules with yarGen

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

To do this we know that we need to start by running yara with our .yar file and then against the path of the file we want to test so it looks like “yara file2.yar file2/1ndex.php”

Did Yara rule flag file 2? (Yay/Nay)

From our root of suspicious-files we run yara file2.yar file2/1ndex.php. We can see we get the output of the test which indicates the yara rule flagged file2

Copy the Yara rule you created into the Loki signatures directory.

For this we run cp file2.yar ../tools/Loki/signature-base/yara

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

After running Loki we can see it does flag file 2 now

What is the name of the variable for the string that it matched on?

We can see it matched on Str1 var Zepto

Inspect the Yara rule, how many strings were generated?

Looking into the .yar file itself we can see that there are 20 strings generated in this rule.

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

Again looking in the .yar file at the bottom we can see the condition < 700kb

Task 10 Valhalla

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group?

Using the web front-end of Valhalla we can see it is attributed to a Chinese APT group

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

After getting the sha-256 hash inputted we can see that the first rule by date is Webshell_b374k_rule1

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Clicking over into VT we can see that virus scanner was THOR APT Scanner

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious?

IF we enter our sha256 into VT we can see a lot of AV didn’t detect this.

Besides .PHP, what other extension is recorded for this file?

If we go to the VT description page we can scroll down and see names, I had to expand the name list down to see the .exe file extension.

What JavaScript library is used by file 2?

If we now go back to the Valhalla scanner and go into the source (github) we can see the requirement is the zaptojs library.

Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools?

Since we had to add the rule uses yaraGen we know that it is not a default rule