Yara

Walkthrough of the Yara room.

---

Task 1: Introduction

Answer: No answer required.

---

Task 2: What is Yara?

What is the name of the base-16 numbering system that Yara can detect?

Answer: hex

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Answer: Yay

---

Task 3: Installing Yara (Ubuntu/Debian & Windows)

I’ve installed Yara and/or are using the attached VM!

Answer: No answer required.

---

Task 4: Deploy

I’ve either connected to my instance or installed Yara on my own operating system!

Answer: No answer required.

---

Task 5: Introduction to Yara Rules

One rule to – well – rule them all.

Answer: No answer required.

---

Task 6: Expanding on Yara Rules

Upwards and onwards…

Answer: No answer required.

---

Task 7: Yara Modules

Sounds pretty cool!

Answer: No answer required.

---

Task 8: Other tools and Yara

Cool tools. I’m ready to use one of them.

Answer: No answer required.

---

Task 9: Using LOKI and its Yara rule set

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

Answer: Suspicious

What Yara rule did it match on?

Answer: webshell_metaslsoft

What does Loki classify this file as?

Answer: Web Shell

Based on the output, what string within the Yara rule did it match on?

Answer: Str1

What is the name and version of this hack tool?

Answer: b374d 2.2

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Answer: 1

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Answer: Benign

Inspect file 2. What is the name and version of this web shell?

Answer: b374k 3.2.3

---

Task 10: Creating Yara rules with yarGen

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

Answer: yara file2.yar file2/1ndex.php

Did Yara rule flag file 2? (Yay/Nay)

Answer: Yay

Copy the Yara rule you created into the Loki signatures directory.

Answer: No answer required.

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

Answer: Yay

What is the name of the variable for the string that it matched on?

Answer: Zepto

Inspect the Yara rule, how many strings were generated?

Answer: 20

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

Answer: 700KB

---

Task 11: Valhalla

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

Answer: Yay

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Answer: Webshell_b374_rule1

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Answer: THOR APT Scanner

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Answer: Nay

Besides .PHP, what other extension is recorded for this file?

Answer: EXE

Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)

Answer: 2021/3

What JavaScript library is used by file 2?

Answer: Zepto

Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools?

Answer: Nay

---

Task 12: Conclusion

No answer required.