Description: identifying specific files by looking at the characteristics of a large number of files to see if any of them match the profile

Installation

• On Linux: download tar file from https://github.com/virustotal/yara/releases/tag/v4.0.2

• Install dependencies: sudo apt-get install automake libtool make gcc pkg-config

• Install YARA: tar -zxf yara-4.0.2.tar.gz -> cd yara-4.0.2/ -> ./bootstrap.sh

• Compile YARA: ./configure -> make -> sudo make install

• Confirm Installation: sudo make install

Usage

• Write YARA Rules: https://yara.readthedocs.io/en/stable/writingrules.html

• Run rule file against a target: yara [OPTIONS] RULES_FILE TARGET

• YARA Flags

  • -m: Prints the associated meta information to the terminal after a YARA scan.

  • -s: Prints the matching strings to the terminal after a YARA scan.

  • -r: Recursively scan all subfolders within the target location to ensure everything is scanned.

• YarGen to automatically generate rules for files: https://github.com/Neo23x0/yarGen/releases

  • Installation

    • YarGen: tar -zxf yarGen-0.18.0.tar.gz

    • sudo apt-get install python-pip

    • sudo pip install pefile cd

    • sudo pip install scandir lxml naiveBayesClassifier

    • python yarGen.py --update

    • python yarGen.py --help

  • Usage

    • python yarGen.py -m /root/Desktop/Malware -o ./TestRule.yara

    • python yarGen.py: Runs the yarGen python script

    • -m /root/Desktop/Malware: Create rules for files inside the Malware folder

    • -o ./TestRule.yara: Output the generated rule to the current folder

    • cat TestRule.yara: read rules

Resources:

• https://yara.readthedocs.io/en/stable/gettingstarted.html

• https://yara.readthedocs.io/en/stable/writingrules.html

• https://yara.readthedocs.io/en/stable/commandline.html

• https://github.com/Yara-Rules/rules