2.1. All about Yara
"The pattern matching swiss knife for malware researchers (and everyone else)" (Virustotal., 2020)
With such a fitting quote, Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Rules are used to label these patterns. For example, Yara rules are frequently written to determine if a file is malicious or not, based upon the features - or patterns - it presents.
Strings are a fundamental component of programming languages. Applications use strings to store data such as text.
For example, the code snippet below prints "Hello World" in Python. The text "Hello World" would be stored as a string.
Hello Earth! Can you hear me?
We could write a Yara rule to search for "hello world" in every program on our operating system if we would like.
2.2. Why does Malware use Strings?
Malware, just like our "Hello World" application, uses strings to store textual data. Here are a few examples of the data that various malware types store within strings:
2.3. Caveat: Malware Analysis
Explaining the functionality of malware is vastly out of scope for this room due to the sheer size of the topic. I have covered strings in much more detail in "Task 12 - Strings" of myMAL: Introductory room. In fact, I am creating a whole Learning Path for it. If you'd like to get a taster whilst learning the fundamentals, I'd recommend my room.
Answer the questions below
What is the name of the base-16 numbering system that Yara can detect?
How to: The answer can be found in the first sentence of this room (Not the quote), and it is the abbreviated name.
Answer: Hex
Would the text "Enter your Name" be a string in an application? (Yay/Nay)
How to: Any text with in qoutes (””), will be a string.
Answer: Yay
No comments:
Post a Comment