TryHackMe: Yara Walkthrough (SOC Level 1)

January 10, 2025
January 10, 2025 Jasper
Welcome to this walkthrough of the Yara Room on TryHackMe.
In this room we will learn about the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!

This room is part of the SOC Level 1 Path.

Yara Room

Yara Room

Room URL: https://tryhackme.com/r/room/yara

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!


Task 1: Introduction

This room will expect you to understand basic Linux familiarity, such as installing software and commands for general navigation of the system. Moreso, this room isn’t designed to test your knowledge or for point-scoring. It is here to encourage you to follow along and experiment with what you have learned here.
As always, I hope you take a few things away from this room, namely, the wonder that Yara (Yet Another Ridiculous Acronym) is and its importance in infosec today. Yara was developed by Victor M. Alvarez (@plusvic) and @VirusTotal. Check the GitHub repo here.

Questions

Let’s get started

Answer: No answer needed


Task 2: What is Yara?

Note: I upgraded the Introductionary text on THM, as I did not feel like it did a great job of actually explaining what Yara is.

Understanding Yara

Yara is a versatile tool designed for identifying and classifying files based on patterns, whether binary or textual. Originally developed for malware researchers, it has since become a go-to resource for security analysts and anyone dealing with threat detection. Known as “the pattern matching Swiss knife for malware researchers (and everyone else)” (Virustotal, 2020), Yara’s ability to detect malicious behavior by matching specific features or patterns makes it a cornerstone in modern cybersecurity operations.

Why Yara is Important for SOC Analysts

For a Security Operations Center (SOC) analyst, identifying threats quickly and accurately is critical. Yara is particularly valuable in incident response, malware analysis, and threat hunting because it enables analysts to automate the detection of known malicious files or suspicious behaviors. By writing custom Yara rules, you can search through files, memory, or network traffic for patterns associated with malware, saving time and improving detection rates.

Yara’s relevance for rookies lies in its simplicity and power. It provides a practical entry point into malware detection without requiring deep programming or reverse engineering skills. Learning to use Yara effectively helps SOC analysts develop a deeper understanding of how malicious files are structured and behave, which is essential for responding to modern threats.

How Yara Works

Yara uses rules, which are sets of conditions defined by the user to match specific patterns in files. These rules can target strings (e.g., text stored in a file) or binary data (e.g., specific sequences of bytes). Yara rules are highly flexible and can be customized to detect unique characteristics of malware.

For example:

  • A ransomware rule might search for Bitcoin wallet addresses used for ransom payments.
  • A botnet rule could match IP addresses of known Command and Control (C&C) servers.

Why Strings Matter

Strings—sequences of text or characters—are a fundamental part of software and malware alike. Just as a simple Python program might include the string “Hello World” to print a message, malware uses strings to store critical data such as file paths, encryption keys, IP addresses, or commands. By identifying these strings, Yara can flag files or processes that exhibit suspicious patterns.

Yara in Action for SOC Analysts

Imagine you’re investigating a potential malware outbreak. Using Yara, you can scan files across an infected system or network for known malicious patterns. For example, a custom rule might detect the presence of ransomware by matching specific encryption routines or strings associated with ransom notes.

By automating this process, Yara allows SOC analysts to:

  1. Quickly identify infected files.
  2. Attribute the malware to a known family or actor.
  3. Develop further rules for proactive threat hunting.

Questions

What is the name of the base-16 numbering system that Yara can detect?

Base 16 uses powers of 16. The possible digits are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. We also call this hexadecimal this there are 16 possibilities (hexadecimal meaning 16).
Hexadecimal is used for lots of things, for example color codes in HTML!

Answer:hexadecimal

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Yes! “Enter your name” is a sequence of characters, and is therefore considered a string.

Answer: Yay


Task 3: Deploy

Nothing to cover here. Startup the machine attached to this task, or connect through SSH (remember to connect to THMs VPN).

Questions

I’ve connected to my instance!

Answer: No answer needed.


Task 4: Introduction to Yara Rules

The proprietary language Yara uses for rules is simple to start with but requires understanding of the patterns you want to detect. Here, we will walk through the process of creating your first Yara rule.

Basic Structure of Yara Rules

A Yara rule consists of two key components:

  1. Rule Name: The name you assign to the rule.
  2. Condition: The conditions under which the rule is triggered.

In simple terms, the rule you write will check if specific patterns (like strings or binary data) exist in the target file, directory, or process.

For example, let’s create a basic Yara rule that checks if a file or directory exists.

Steps to Create Your First Yara Rule:

  1. Create a Sample File:
    First, create a file called somefile. This will be the file we test the Yara rule on.

    touch somefile
  2. Create the Yara Rule File:
    Now, create a new Yara rule file named myfirstrule.yar

    touch myfirstrule.yar
  3. Write the Rule:
    Open myfirstrule.yar with a text editor (e.g., nano):

    nano myfirstrule.yar
    

    Inside the file, write the following rule:

    rule examplerule {
    condition: true
    }
    • Rule Explanation:
      • rule examplerule sets the rule’s name as examplerule.
      • condition: true is a condition that simply checks whether the file exists (in this case, it always evaluates to true).

    Running the Rule:

    1. Now, use the following command to run the Yara rule against the somefile we created earlier:
    yara myfirstrule.yar somefile

    If the file somefile exists, Yara will output the name of the rule, examplerule, like this:

     examplerule somefile
    

    What Happens if the File Doesn’t Exist?
    If the file doesn’t exist, Yara will give an error message, such as

    error scanning sometextfile: could not open file

Key Takeaways:

  • The Rule: Your first Yara rule (examplerule) checks whether a file or directory exists using condition: true.
  • Output: If the file exists, Yara outputs the rule name (e.g., examplerule). If it doesn’t, Yara returns an error indicating the file couldn’t be found.
  • The Condition: The simplicity of the rule here is that condition: true always evaluates as true, but more complex rules can search for specific patterns or strings inside files.

What’s Next?

  • Refining Rules: Now that you’ve written your first rule, you can begin experimenting with more complex patterns like searching for specific strings or binary data within files.
  • Real-World Use: In a real-world context, SOC analysts often use Yara rules to detect malicious patterns in files, processes, or network traffic, making Yara an essential tool for identifying malware in various environments.

Questions

One rule to – well – rule them all.

Answer: No answer needed.


Task 5: Expanding on Yara Rules

Checking if a file exists with a basic Yara rule is a good starting point, but the real power of Yara lies in its ability to search for patterns and apply complex conditions. Let’s delve deeper into Yara’s functionality, including meta fields, string definitions, and advanced conditions.

Meta

The meta section provides descriptive information about the rule. It is used for documentation purposes and does not affect the rule’s functionality. This is similar to comments in programming and is particularly useful for organizing and understanding your rules.

Example:

rule helloworld_checker {
meta:
author = "Your Name"
description = "Detects files containing variations of 'Hello World!'"
date = "2025-01-07"
}

Strings

The strings section allows you to specify patterns the rule should search for. These patterns can be text strings or hexadecimal values.

Example:

rule helloworld_checker {
strings:
$hello_world = "Hello World!"
condition:
$hello_world
}

This rule matches any file containing the exact text “Hello World!”.

Handling Case Sensitivity
Yara matches strings exactly as defined. To account for case variations (e.g., “hello world” or “HELLO WORLD”), you can define multiple strings and combine them with conditions.

Example:

rule helloworld_checker {
strings:
$hello_world = "Hello World!"
$hello_world_lower = "hello world"
$hello_world_upper = "HELLO WORLD"
condition:
any of them
}

This rule matches files containing any of the defined variations.

Advanced Conditions

Yara supports logical operators, comparison operators, and complex conditions to refine your rules.

Counting Occurrences
Use #<string_name> to count occurrences of a string in a file.

Example:

rule helloworld_checker {
strings:
$hello_world = "Hello World!"
condition:
#hello_world <= 10
}

This rule matches if “Hello World!” appears 10 times or fewer in a file.

Combining Conditions

You can combine multiple conditions with logical operators like and, or, and not.

Example:

rule helloworld_checker {
strings:
$hello_world = "Hello World!"
condition:
$hello_world and filesize < 10KB
}

This rule matches only if:

The file contains “Hello World!”, and
The file size is less than 10KB.

Questions

Upwards and onwards…

Answer: No answer needed

 


Task 6: Yara Modules

Integrating Yara with Other Tools and Libraries

Yara’s capabilities can be extended by integrating it with tools like Cuckoo Sandbox or Python’s PE Module, enabling deeper insights into file behaviors and structures. These integrations are particularly useful in malware analysis, where understanding both runtime and static characteristics is critical.

Cuckoo Sandbox

Cuckoo Sandbox is an automated malware analysis framework that runs suspicious files in an isolated environment to observe their behaviors. Integrating Yara with Cuckoo enables you to:

  1. Generate Yara rules based on runtime characteristics like strings loaded into memory, API calls, and other system interactions.
  2. Target specific behaviors or patterns observed during execution.
  3. Build rules that reflect both static and dynamic analysis findings, enhancing detection accuracy.

Benefits:

  • Capture real-time execution data for malware.
  • Focus on unique runtime behaviors, such as network activity or dropped files.
  • Create rules for malware families based on observed execution patterns.

Python’s PE Module

The Python PE Module allows for static analysis of Portable Executable (PE) files, which are standard for executables and libraries on Windows. This integration supports:

  1. Parsing and analyzing PE file headers, sections, and imports/exports.
  2. Detecting anomalies like unusual section sizes, names, or characteristics.
  3. Creating Yara rules based on structural attributes rather than execution behavior.

Benefits:

  • Efficient static analysis without requiring malware execution.
  • Identify specific functions or libraries used by potentially malicious files.
  • Detect packing, cryptography, or other indicators of malicious intent through PE structure anomalies.

Questions

Sounds pretty cool!

Answer: No answer needed

 


Task 7: Other tools and Yara

This task simply mentions some other tools. The important things to remember is that there are tools which makes it easy to start using Yara rules without having to write your own!

Tools Overview

  1. LOKI
    • Open-source IOC scanner focused on detecting Indicators of Compromise using various checks like file names, Yara rules, hashes, and C2 communication.
    • Cross-platform support for Windows and Linux.
    • Lightweight and straightforward, making it an ideal choice for quick IOC checks.
  2. THOR Lite
    • A more advanced IOC and Yara scanner with multi-platform support for Windows, Linux, and macOS.
    • Features scan throttling to minimize resource usage.
    • Requires email subscription for download and is oriented towards corporate environments.
  3. FENRIR
    • A bash script for systems capable of running bash (Linux, macOS, and Windows with bash support).
    • A simple IOC checker designed for lightweight and dependency-free operation.
  4. YAYA (Yet Another Yara Automaton)
    • Focused on managing Yara rule repositories and performing scans.
    • Exclusively supports Linux.
    • Helps researchers manage and customize Yara rules efficiently.

Questions

Cool tools. I’m ready to use one of them.

Answer: No answer needed


Task 8: Using LOKI and its Yara rule set

As a security analyst, you may need to research various threat intelligence reports, blog postings, etc. and gather information on the latest tactics and techniques used in the wild, past or present. Typically in these readings, IOCs (hashes, IP addresses, domain names, etc.) will be shared so rules can be created to detect these threats in your environment, along with Yara rules. On the flip side, you might find yourself in a situation where you’ve encountered something unknown, that your security stack of tools can’t/didn’t detect. Using tools such as Loki, you will need to add your own rules based on your threat intelligence gathers or findings from an incident response engagement (forensics).  As mentioned before, Loki already has a set of Yara rules that we can benefit from and start scanning for evil on the endpoint straightaway.

Getting Started with LOKI:

  1. Initial Setup:
    • Navigate to the Loki folder on your system.
    • Run the command python loki.py -h to see available options.
    • Update its signatures by running --update (this ensures it can scan for the latest threats).
  2. Inspecting Yara Rules:
    • Check the “signature-base” directory under LOKI to see preloaded rules in the yara folder.
    • These rules specify what LOKI should look for during scans.
  3. Running a Scan:
    • Use LOKI to scan specific files or folders for malicious content.
    • Example command: python ../../tools/Loki/loki.py -p .
      This scans all files in the current folder for threats.

Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files directory. Use Loki to answer the questions below.

Questions

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

 Start up the machine attached to task 3.
The suspicious file can be found in ~/suspicious-files.
As discussed before, the loki program is located at the ~/tools/Loki/loki.py
To run the code on the first file, make sure you are in the file1 folder and aftwards we can run the following:
python ../../tools/Loki/loki.py -p .
Loki file1 results

Loki file1 results

The final result is as follows: [RESULT] Suspicious objects detected!

Answer: suspicious

What Yara rule did it match on?

 Take a look at the area area [WARNING].
Among other info it mentions the reason and rule it matched on:
REASON_1: Yara Rule MATCH: webshell_metaslsoft SUBSCORE: 70
There we can the rule matched 🙂

Answer: webshell_metaslsoft 

What does Loki classify this file as?

Look at the description field of the Warning section.

DESCRIPTION: Web Shell – file metaslsoft.php REF:

 It is a web shell!

Answer: Web Shell

Based on the output, what string within the Yara rule did it match on?

 This one is a bit tougher to find, but in the same warning section you can see the following line:
Str1: $buff .= “<tr><td><a href=\\”?d=”.$pwd.”\\”>[ $folder ]</a></td><td>LINK</t
The first word before the colon (“:”) is the matched string. This means the first string of the rule.

Answer: Str1

What is the name and version of this hack tool?

 This question can be answer by looking at the warning section once more. The second field contains the first bytes of the matched file, and it contains the following:
FIRST_BYTES: 3c3f7068700a2f2a0a09623337346b20322e320a / <?php/*b374k 2.2
The answer lies after the PHP comment block opening.

Answer: b374k 2.2

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

 The Yara rules can be found in the~/tools/Loki/signature-base/yaradirectory. 
I had to google to found the actual Yara file:
https://github.com/blacktop/docker-yara/blob/master/w-rules/rules/Loki%20Rules/thor-webshells.yar
This can also be found at:
yara/thor-webshells.yar

I used the following command to find the Metaslsoft rule and print the 10 lines after the matched rule name:

cat thor-webshells.yar | grep metaslsoft -A 10

This gives the following result:

Yara rule

Yara rule

Answer:Sales_Receipt 5606.xls

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

 As before, run the following command:
python ../../tools/Loki/loki.py -p .
The gives the following output:
Loki file2 results

Loki file2 results

The result is clear: [RESULT] SYSTEM SEEMS TO BE CLEAN.

Answer: Benign

Inspect file 2. What is the name and version of this web shell?

 This time Loki does not show the first bytes, so we have to read the file manually.
I will do this by running head:
head 1ndex.php
Webshell contents

Webshell contents

The answer is in the comment, but remove the “shell” in the middle.

Answer: b374k 3.2.3


 Task 9: Creating Yara rules with yarGen

Why Create a YARA Rule?
If LOKI doesn’t detect a suspicious file, you can create a custom YARA rule to identify the file and similar threats across your systems. This is especially useful in incident response to prevent undetected malicious activity.

What is yarGen?
yarGen is a tool that helps generate YARA rules by analyzing suspicious files and filtering out strings commonly found in legitimate software (to reduce false positives).

Steps to Create a YARA Rule with yarGen:

  1. Prepare yarGen:
    • Navigate to the yarGen directory.
    • Run python3 yarGen.py --update to download its database of legitimate software strings and opcodes.
  2. Generate a YARA Rule:
    • Use the command:
      python3 yarGen.py -m /path/to/suspicious/file --excludegood -o /path/to/output/file.yar
      
      • -m: Path to the suspicious file.
      • --excludegood: Filters out strings from legitimate software.
      • -o: Specifies where to save the generated YARA rule.

Resources for Learning More:

Questions

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

 Now we have to create a rule and test it on file2, since we failed to identify the web shell in the previous task.
After making sure you are in the ~/tools/yarGen directory, run the following command to create your own yar rule.
python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar
Yara Rule Generator

Yara Rule Generator

After running this command we can test our freshly created Yara rule on file2 like this (we learned this in Task 4):

yara file2.yar file2/1ndex.php

Answer: yara file2.yar file2/1ndex.php

Did Yara rule flag file 2? (Yay/Nay)

 Run the command from the previous question:
Yara results on file2

Yara results on file2

If you look at the output of the command (in the bottom of my screenshot) you can see that it outputs “home cmnatic suspicious files file2 index“. This means that the file is considered suspicious, as yara outputs the rule name that gets “matched”.

Answer: Yay

Copy the Yara rule you created into the Loki signatures directory.

 Copy the file with this command:
cp file2.yar ../tools/Loki/signature-base/yara

Answer: No answer needed

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

 With the rule in place so Loki can find it, move into the flag2 directory, and run the Loki program:
cd file2
python ../../tools/Loki/loki.py -p .
Loki results with new rule

Loki results with new rule

As you can see, the file is considered suspicious.

Answer: Yay

What is the name of the variable for the string that it matched on?

The answer is in the MATCHES section on the previous screenshot:

 MATCHES: Str1: var Zepto=function(){function G(a){return a==null?String(a):z[A.call(a)]||"object"}function H(a){return G(a)=="function"}fun Str2: $c ... (truncated)

Answer: Zepto

Inspect the Yara rule, how many strings were generated?

 If you can’t remember, we placed the Yara rule in the following directory:
cat ~/tools/Loki/signature-base/yara/file2.yar

Yara results on file2

There are 20 strings generated in the rule.

Answer: 20

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

 The conditions are mentioned in the bottom of the rule:
 condition:
uint16(0) == 0x3f3c and filesize < 700KB and
1 of ($x*) and 4 of them

The relevant one is the first one. Here it is specified that the filesize should be less than 700KB.

Answer: 700KB


Task 10: Valhalla

Valhalla is an online Yara rule feed hosted by Nextron-Systems (Florian Roth), offering thousands of high-quality, hand-crafted Yara rules to enhance detection capabilities. The platform enables threat intelligence gathering and malware detection through extensive, organized rule sets.

Link: https://www.nextron-systems.com/valhalla/

Key Features:

  • Search Capabilities:
    You can search by keyword, tag, MITRE ATT&CK technique, SHA256 hash, or rule name.
  • Rule Details:
    Each rule includes:

    • Name
    • Description
    • Submission date
    • Reference link for more context
  • Practical Use:
    • Valhalla rules provide context and actionable intelligence for threat hunting.
    • Security professionals can utilize this data even without deep coding knowledge.

Scenario Application:

  • Using Yara and Valhalla:
    If LOKI identifies suspicious files, Valhalla can provide additional context, helping analysts confirm malicious behavior and justify actions like removing files from the network.
  • Research-Based Approval:
    Valhalla supports the research needed for incident response and decision-making without requiring advanced scripting skills.

Questions

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

 Open the search page at: https://valhalla.nextron-systems.com/
The SHA256 of file one is 5479f8cd1375364770df36e5a18262480a8f9d311e8eedb2c2390ecb233852ad. (see the results of the Loki scan).
Entering this hash in the search input fields bring us to the following url:
https://valhalla.nextron-systems.com/info/search?keyword=5479f8cd1375364770df36e5a18262480a8f9d311e8eedb2c2390ecb233852ad
Valhalla file1

Valhalla file1

As you can see, one of the results mentions a Chinese APT group.

Answer: Yay

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

 The SHA256 hash for file 2 is: 53fe44b4753874f079a936325d1fdc9b1691956a29c3aaf8643cdbd49f5984bf
Valhalla file2

Valhalla file2

If we consider the first rule to be the one with the oldest date, the answer is Webshell_b374k_rule1.

Answer: Webshell_b374k_rule1

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Visit the VirusTotal search page at:
https://www.virustotal.com/gui/home/search
Search for the previously mentioned hash and you will reach the following page:
https://www.virustotal.com/gui/file/53fe44b4753874f079a936325d1fdc9b1691956a29c3aaf8643cdbd49f5984bf

On the Community tab you can find the answer:

VirusTotal file2 Yara Signature Match

VirusTotal file2 Yara Signature Match

Answer: THOR APT Scanner

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

 This answer can be found on the Detection tab. As you can see, far from all AVs detect the file as malicious.
VirusTotal detections

VirusTotal detections

Answer: Nay

Besides .PHP, what other extension is recorded for this file?

 This time we have to take a look at the Details tab:
File extensions

File extensions

Besides php, php5, txt and html, there is .exe, which is the expected answer.

Answer: exe

What JavaScript library is used by file 2?

I googled Webshell_b374k and found the following Github page:
https://github.com/b374k/b374k
If you look at the source code of the index.php file you can see the following JS libraries are used:
$zepto_code = packer_read_file($GLOBALS['packer']['base_dir']."zepto.js");
$js_main_code = "\n\n".packer_read_file($GLOBALS['packer']['base_dir']."main.js");
$js_code = "\n\n".packer_read_file($GLOBALS['packer']['base_dir']."sortable.js").$js_main_code;
$js_code .= "\n\n".packer_read_file($GLOBALS['packer']['base_dir']."base.js");
The first line refers to the zepto library.

Answer: zepto

Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

 I suppose they are referring to the Webshell_b374k_rule1 rule which we found earlier.
While we could look in the rules directory, we can assume it doesn’t because Loki failed to detected the malicious code in previous tasks. 🙂

Answer: Nay


Task 11: Conclusion

I can’t put it better than the room creator does:

In this room, we explored Yara, how to use Yara, and manually created basic Yara rules. We also explored various open-source tools to hit the ground running that utilizes Yara rules to detect evil on endpoints.
By going through the room scenario, you should understand the need (as a blue teamer) to know how to create Yara rules effectively if we rely on such tools. Commercial products, even though not perfect, will have a much richer Yara ruleset than an open-source product. Both commercial and open-source will allow you to add Yara rules to expand its capabilities further to detect threats.
If it is not clear, the reason why file 2 was not detected is that the Yara rule was not in the Yara file used by Loki to detect the hack tool (web shell) even though its the hack tool has been around for years and has even been attributed to at least 1 nation-state. The Yara rule is present in the commercial variant of Loki, which is Thor. 

There is more that can be done with Yara and Yara rules. We encourage you to explore this tool further at your own leisure. 

Questions

No answer needed.

Answer: No answer needed


Congratulations on completing Yara!!!

We finished the Yara room on THM

We finished the Yara room on THM

Whew! We’re done. It definitely took a while to finish this walkthrough.
Great job on finishing this room on Yara. I think it is one of the harder rooms that I have tried on TryHackMe, but I learned a bunch. I really liked the practical assignments!
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox.

 


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Leave a Reply

Your email address will not be published. Required fields are marked *