♎Yara Guide

What is Yara?

"The pattern matching swiss knife for malware researchers (and everyone else)" (Virustotal., 2020)

Creating Basic Yara Rule

# nano myfirstrule.yar

rule examplerule {
        condition: true
}

#Looking for a file that exist
yara myfirstrule.yar somefile

#Looking for a file that does not exist
yara myfirstrule.yar somefilexyz

Yara Conditions

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"

	condition:
		$hello_world
}

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"
		$hello_world_lowercase = "hello world"
		$hello_world_uppercase = "HELLO WORLD"

	condition:
		any of them
}

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"

	condition:
        #hello_world <= 10
}

Combining Keywords

• and

• or

• not

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!" 
        
        condition:
	        $hello_world and filesize < 10KB 
}

Anatomy of Yara Rules

Yara Modules

Libraries

• Cuckoo

• Python PE

Yara Tools

LOKI

LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.

Based on the GitHub page, detection is based on 4 methods:

1. File Name IOC Check

2. Yara Rule Check (we are here)

3. Hash Check

4. C2 Back Connect Check

THOR

THOR Lite is Florian's newest multi-platform IOC AND YARA scanner. There are precompiled versions for Windows, Linux, and macOS. A nice feature with THOR Lite is its scan throttling to limit exhausting CPU resources. For more information and/or to download the binary, start here. You need to subscribe to their mailing list to obtain a copy of the binary. Note that THOR is geared towards corporate customers. THOR Lite is the free version.

FENRIR

This is the 3rd tool created by Neo23x0 (Florian Roth). You guessed it; the previous 2 are named above. The updated version was created to address the issue from its predecessors, where requirements must be met for them to function. Fenrir is a bash script; it will run on any system capable of running bash (nowadays even Windows).

YARA

YAYA was created by the EFF (Electronic Frontier Foundation) and released in September 2020. Based on their website, "YAYA is a new open-source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files."

Using LOKI

# Help Menu
python loki.py -h

# Update
python loki.py --update

# Run Loki
python loki.py -p .

YarGen

What is YarGen?

From the README - "The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use."

# Update
python3 yarGen.py --update

# Generate Yara Rule for a File
python3 yarGen.py -m <file name> --excludegood -o <ouput name>.yar 

# Test the yara rule
yara file2.yar file2/index.php

• -m is the path to the files you want to generate rules for

• --excludegood force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)

• -o location & name you want to output the Yara rule

Further Reading on creating Yara rules and using yarGen:

• https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/

• https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/

• https://www.bsk-consulting.de/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/

Valhalla

Valhalla is an online Yara feed created and hosted by Nextron-Systems (erm, Florian Roth).

Per the website, "Valhalla boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules."