Hunting viruses and malwares take more than static or dynamic analysis alone. Usually a combination of different techniques such as static, dynamic and reverse engineering to reveal the nature of a program or binary code.
In this post, we covered simple static analysis using Linux commands and then VirusTotal to reveal whether the file is virus or not.
Yara rules are a way of hunting down malwares using indicators of compromise such as ip address, hash, domain name, etc.
Creating Yara rules is as easy as creating a file with .yar extension and following the general formula of a rule file.
Yara rules are very widely used in the industry for the above-mentioned purposes. There are various open-source repositories of Yara rules shared by different organizations and people that can be leveraged by the security community in their fight against malware. This GitHub repository contains links to a lot of such open-source repositories.
In this post, We analyzed an EICAR virus testfile with VirusTotal and used Yara rules to hunt and match strings from the virus. This video used lab material from TryHackMe Advent of Cyber 3 Day 20 and 21.
Answers to Day 20 and Day 21 tasks
Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?
Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?
EICAR virus test files
Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?
On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?
Go to this link to learn more about this file and what it is used for. What were the first two names of this file?
ducklin.htm or ducklin-html.htm
The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?
We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the ‘and’ with, in order for the rule to still hit the file?
What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?
What section contains information about the author of the Yara rule?
What option is used to print only rules that did not hit?
Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?