Hunting viruses and malwares take more than static or dynamic analysis alone. Usually a combination of different techniques such as static, dynamic and reverse engineering to reveal the nature of a program or binary code.

In this post, we covered simple static analysis using Linux commands and then VirusTotal to reveal whether the file is virus or not.

What Exactly is Yara?

At its core, Yara is like a search engine for your files, but instead of looking for keywords in a document, it hunts for specific strings of text or hexadecimal patterns within any file. This capability makes it an indispensable tool for cybersecurity professionals and malware analysts. By crafting precise rules, you can command Yara to find files that exhibit characteristics of known malware.

The Anatomy of a Yara Rule

The power of Yara lies in its rules. These rules, saved in files with a .yar extension, are the blueprints for your malware hunts. The video breaks down their structure into simple, understandable components:

  1. Rule Declaration: Every rule begins with the keyword rule followed by a unique name you create for it.
  2. Meta Section: This optional but highly recommended section is for documentation. Here, you can add details like the author of the rule and a brief description of its purpose, which is incredibly helpful for future reference.
  3. Strings Section: This is the heart of the rule. Here, you define the patterns—either text or hexadecimal—that you want Yara to search for. Each pattern is assigned to a variable (e.g., $a, $b) for easy reference.
  4. Condition Section: This section sets the logic for the rule. It specifies under what conditions the rule should trigger a “hit.” You can use the variables from the strings section and combine them with logical operators like and, or, and not to create highly specific and flexible detection logic.

Here’s a look at the basic structure:

rule Your_Rule_Name {
    meta:
        author = "Your Name"
        description = "A brief description of what this rule does."
    strings:
        $text_string_1 = "some suspicious text"
        $hex_string_1 = { E2 34 AB }
    condition:
        $text_string_1 or $hex_string_1
}

A Practical Malware Hunting Scenario

Initial Analysis

Before even writing a Yara rule, a proper investigation begins. The video demonstrates using essential Linux commands to analyze the suspicious file, testfile.

  • Determining the file type: The file command is used to identify what the file actually is, regardless of its name or extension.
file testfile

Extracting readable strings: The strings command is used to pull out all the human-readable text from the file, which can often reveal clues about its function.

strings testfile

Leveraging Online Intelligence: The video shows how to generate an MD5 hash of the file and use it to search on VirusTotal. This is a crucial step to see if the file is a known piece of malware and to gather valuable Indicators of Compromise (IOCs).

md5sum testfile

Crafting and Running a Custom Yara Rule

Armed with the information gathered from the initial analysis, a custom Yara rule named eicar_rule.yar is created. This rule is tailored to find the specific strings discovered inside the EICAR test file.

rule ecar_yara {
    meta:
        author = "tryhackme"
        description = "eicar string"
    strings:
        $a = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
        $b = "EICAR"
        $c = "antivirus"
        $d = "test"
    condition:
        $a or ($b and $c and $d)
}

ith the rule saved, it’s time to unleash Yara. The following command tells Yara to use the eicar_rule.yar file to scan the current directory (.).

yar eicar_rule.yar .

As expected, Yara successfully flags the testfile, confirming that it matches the conditions laid out in the rule.

Fine-Tuning Your Scans

There are also several command-line options to get more detailed output from your Yara scans:

  • -s: Shows exactly which strings inside the file matched your rule.
  • -m: Displays the metadata (author, description) from the rule that was triggered.
  • -n: Inverts the results to show which rules did not match.
  • -c: Provides a simple count of how many rules were triggered.

By the end of this tutorial, you are left with a solid, practical understanding of how to create, refine, and apply Yara rules to effectively hunt for malware on a system.

In this post, We analyzed an EICAR virus testfile with VirusTotal and used Yara rules to hunt and match strings from the virus. This video used lab material from TryHackMe Advent of Cyber 3 Day 20 and 21

Download Learning Material in PDF

Answers to Day 20 and Day 21 tasks

Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?

EICAR virus test files
Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?

2005-10-17 22:03:48
On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?

Virus:DOS/EICAR_Test_File
Go to this link to learn more about this file and what it is used for. What were the first two names of this file?

ducklin.htm or ducklin-html.htm
The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?

128

We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the ‘and’ with, in order for the rule to still hit the file?
or
What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?

-m
What section contains information about the author of the Yara rule?

metadata
What option is used to print only rules that did not hit?

-n
Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?

0

Video Walk-through

This video provides an excellent, step-by-step guide on how to leverage Yara, a powerful pattern-matching tool, to hunt for malicious files on a system. It demystifies the process of creating custom rules and applying them in a real-world scenario, making it accessible even to those new to the field.

, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles