Premise

In this video walkthrough, we covered the basics of Yara file pattern matching to analyze Malwares based on indicators of compromise.

Challenge Description

This room will expect you to understand basic Linux familiarity, such as installing software and commands for general navigation of the system. Moreso, this room isn’t designed to test your knowledge or for point-scoring. It is here to encourage you to follow along and to experiment with what you have learned here.

As always, I hope you take a few things away from this room, namely, the wonder that Yara (Yet Another Ridiculous Acronym) is and it’s importance in infosec today. Yara was developed by Victor M. Alvarez (@plusvic) and @VirusTotal. Check the GitHub repo here.

Get Blue Team Notes

Challenge Tasks

What is the name of the base-16 numbering system that Yara can detect?

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

What Yara rule did it match on?

What does Loki classify this file as?

Based on the output, what string within the Yara rule did it match on?

What is the name and version of this hack tool?

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Inspect file 2. What is the name and version of this web shell?

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

Did Yara rule flag file 2? (Yay/Nay)

Copy the Yara rule you created into the Loki signatures directory.

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

What is the name of the variable for the string that it matched on?

Inspect the Yara rule, how many strings were generated?

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Besides .PHP, what other extension is recorded for this file?

Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)

What JavaScript library is used by file 2?
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

Video Walkthrough

 

About the Author

Cybersecurity Instructor & Swimmer

View Articles