Information
Yara is a tool that can identify malwares by using patten matching. It allows us to use strings, imported functions, and other patterns to search through executables and other file types to detect threats in our system. An Yara rule is compatible across multiple of systems such as Windows, Linux, and MacOS.
In this post I’ll og through crafting a Yara Rule which will identify all files with specific string.
Meta Data
The purpose of meta section in Yara is to describe the name and the purpose of the rule.
rule ExampleOne {
meta:
name = "Example Rule"
description = "This is just an example..."
}Usually, the name and description is used to describe the threat actor and the operations the malicious file performs in our system.
Strings
The purpose of strings section in Yara is to search for specific string within executable programs and other files.
rule ExampleOne {
meta:
name = "Example Rule"
description = "This is just an example..."
strings:
$a = "Hello World"
condition:
$a
}Yara will search through all our files to find executable programs and other file types that contains the string. This helps us with identifying all files that belongs to a specific threat actor.
Condition
The purpose of condition section in Yara is to create conditions using and and or operators. This allows us to build multiple of conditions to detect malicious files.
rule ExampleOne {
meta:
name = "Example Rule"
description = "This is just an example..."
strings:
$a = "Hello World"
$b = "I love you"
condition:
$a and $b
}rule ExampleOne {
meta:
name = "Example Rule"
description = "This is just an example..."
strings:
$a = "Hello World"
$b = "I love you"
condition:
$a or $b
}A great use case for and and or operators is when there is multiple of IoCs that can be used together to identify malicious files.
Example
I’ll be creating a Yara Rule using the yara-python library to identify all files that contains the string which we identified as malicious in our rule.
rule Communication {
meta:
name = "Joe"
description = "Searching for specific strings on the communication between John and Joe."
strings:
$a = "Hi John!"
$b = "My password is"
condition:
$a and $b
}import yara
import os
import hashlib
rule = yara.compile(filepath="rules.yara")
def compute_hash(filepath, algorithm="SHA256"):
hash_func = hashlib.new(algorithm)
with open(filepath, 'rb') as file:
while chunk := file.read(8192):
hash_func.update(chunk)
return hash_func.hexdigest()
def ScanFiles(path="."):
for f in os.listdir(path):
full_path = os.path.join(path, f)
if os.path.isdir(full_path):
ScanFiles(full_path)
else:
matches = rule.match(filepath=full_path)
if matches:
print("[#] File Found")
print("[+] File Name: " + f)
print("[+] Location: " + full_path)
print("[+] SHA256: " + compute_hash(full_path) + "\n")
ScanFiles("uploads/")[#] File Found
[+] File Name: Temp_2.txt
[+] Location: uploads/Temp_2.txt
[+] SHA256: 90e884b4bf0cdf5bc10455194a23c253d8b2a7cdfb24c8233417d18e46d99c2aWhen the $a and $b strings are found in a file the python script will print the File Name, Location, and the SHA256 of the file. As you can see using Yara can save us a-lot of time and quickly identify what we are searching after.
Conclusion
In this article we went through the basics of Yara but in the upcomming article I’ll go through what truly makes Yara special by using it to detect real malwares. I expect to release that article within 2 weeks after this article’s release.