Scribd Logo
Upload

Welcome to Scribd!

  • Lab Proj 08 - Yara

    Uploaded by

    v0dk4
    16 views8 pages
    This document provides instructions for a lab project on using Yara to scan files for malware signatures. It involves installing Yara and Visual C++ on a Windows 10 virtual machine, writing Yara rules, running Yara scans on test files, and saving screenshots of the results. The goal is to practice using Yara to detect malware in files based on text strings, file headers, and byte patterns.

    Original Description:

    Original Title

    Lab-Proj-08_Yara

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for a lab project on using Yara to scan files for malware signatures. It involves installing Yara and Visual C++ on a Windows 10 virtual machine, writing Yara rules, running Yara scans on test files, and saving screenshots of the results. The goal is to practice using Yara to detect malware in files based on text strings, file headers, and byte patterns.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views8 pages

    Lab Proj 08 - Yara

    Uploaded by

    v0dk4
    This document provides instructions for a lab project on using Yara to scan files for malware signatures. It involves installing Yara and Visual C++ on a Windows 10 virtual machine, writing Yara rules, running Yara scans on test files, and saving screenshots of the results. The goal is to practice using Yara to detect malware in files based on text strings, file headers, and byte patterns.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Lab-Project 8: Yara

    What You Need for This Project


    ● A virtual machine with Windows 10.

    Purpose

    1. Practicing how to use Yara.

    Installing Visual C++ Redistributable

    2. In a web browser, go to
    https://www.microsoft.com/en-us/download/details.aspx?id=52685
    3. Click the red Download button.
    4. Check the box next to vc_redist.x64.exe and click Next.
    5. Install the downloaded file. If your machine already has Visual C++
    Redistributable, a Setup Failed window will pop up.
    6. Click Close and go to the next step.

    Installing Yara

    7. In a web browser, go to
    https://yara.readthedocs.io/en/stable/gettingstarted.html
    8. Click Download Windows binaries.\\
    9. Select the appropriate version to download.
    10. Unzip the file.

    Preparing a working folder

    11. Run Command Prompt as Administrator.


    12. Create a working folder in the following command:
    mkdir C:\yara
    13. Copy the extracted files with the following command, replacing
    FILEPATH with the location you extracted the files in step 10:
    copy FILEPATH\yara*.* c:\yara
    14. The files are copied, as shown below.
    Writing a Yara rule

    15. In Command Prompt, execute the following commands, replacing


    YOURNAME with your real name:
    cd c:\yara
    notepad YOURNAME.yar
    16. A Notepad box pops up, asking Do you want to create a new file?. Click
    Yes.
    17. In Notepad, enter the following text:

    rule ExampleRule
    {
    strings:
    $my_text_string = "EVIL"

    condition:
    $my_text_string
    }
    18. Save the file and close Notepad.

    Saving a screen image

    19. Make sure YOURNAME is visible as shown above. It must be your real
    name, not the literal text YOURNAME.
    20. Save the image with the filename Lab-Proj8a-YOURNAME.png. Use your
    real name, not the literal text YOURNAME.

    Creating test files

    21.In Command Prompt, execute the following commands, replacing


    YOURNAME with your real name:
    mkdir YOURNAME
    echo "GOOD" > YOURNAME\goodfile.txt
    echo "EVIL" > YOURNAME\badfile.txt
    22.The files are created, as shown below.
    Saving a screen image

    23. Make sure the Command Prompt window is visible as shown above, with
    your real name replacing the literal text YOURNAME.
    24. Save the image with the filename Lab-Proj8b-YOURNAME.png. Use your
    real name, not the literal text YOURNAME.

    Running Yara on the test files

    25. In Command Prompt, execute the following commands, replacing


    YOURNAME with your real name:
    yara64 YOURNAME.yar YOURNAME
    26. Yara scans the files in your YOURNAME folder and finds one file
    matching the rule, as shown below.
    Saving a screen image

    27. Make sure the Command Prompt window is visible as shown above, with
    your real name replacing the literal text YOURNAME.
    28. Save the image with the filename Lab-Proj8c-YOURNAME.png. Use your
    real name, not the literal text YOURNAME.

    Getting Minesweeper

    29. In a web browser, go to link


    30. A zip file will be downloaded. Navigate to the location of the downloaded
    file and unzip it.
    31. In Command Prompt, execute the following command, replacing
    FILEPATH with the location you extracted the file in step 30 and
    YOURNAME with your real name:
    move FILEPATH\minesam.exe YOURNAME

    Getting a Yara rule

    32. In a web browser, go to


    https://raw.githubusercontent.com/Yara-Rules/rules/master/packers/
    packer_compiler_signatures.yar
    33. Right-click the page and select Save as. Navigate to C:\yara. Save the file
    as packer_compiler_signatures.yar.

    Running Yara on the test files

    34. In Command Prompt, execute the following commands, replacing


    YOURNAME with your real name:
    yara64 packer_compiler_signatures.yar YOURNAME
    35. Yara scans the files in your YOURNAME folder and finds various
    signatures, as shown below.

    Saving a screen image

    36. Make sure the text covered in the green box is visible.
    37. Save the image with the filename Lab-Proj8d-YOURNAME.png. Use your
    real name, not the literal text YOURNAME.

    Finding more EVIL

    38. Download this file: ran.zip


    39. Unzip it. It contains 100 files with two letter names, such as AK, etc.
    40. Use Yara to scan and find the files containing EVIL.
    Saving a screen image

    41. Make sure the Command Prompt window is visible with your real name
    replacing the literal text YOURNAME.
    42. Save the image with the filename Lab-Proj8e-YOURNAME.png. Use your
    real name, not the literal text YOURNAME.

    Finding Fours

    43. Using the same files extracted from ran.zip, use Yara to find all the files
    containing three bytes of 0x04 in a row.
    44. Use the following document to write a rule for this task: Writing Yara rules

    Saving a screen image

    45. Make sure the Command Prompt window is visible with your real name
    replacing the literal text YOURNAME.
    46. Save the image with the filename Lab-Proj8f-YOURNAME.png. Use your
    real name, not the literal text YOURNAME.

    Finding Byte pattern

    47. Using the same files extracted from ran.zip, use Yara to find all the files
    containing this pattern:
    One byte of 0x04
    Three to six of any byte
    One byte of 0x05
    Three to six of any byte
    One byte of 0x06
    48. Use the following document to write a rule for this task: Writing Yara rules

    Saving a screen image

    49. Make sure the Command Prompt window is visible with your real name
    replacing the literal text YOURNAME.
    50. Save the image with the filename Proj8g-YOURNAME.png. Use your real
    name, not the literal text YOURNAME.
    Turning in your Project

    51. Submit the images you save in the steps Saving a Screen Image
    to: cms with a subject line of Proj8-YOURNAME, replacing YOURNAME
    with your own name.

    You might also like