Yara

Posted by X64M | FrigidSec on September 05, 2020 · 5 mins read

https://github.com/FrigidSec/Documents— layout: post title: “Make Volatility your YARA” author: Smit Sawant subtitle: “Get yourself acquainted with the basics of YARASCAN” date: 2020-09-05 04:23:13 background: ‘/img/posts/def.jpg’ —

What’s YARA?

  • YARA is the name of a tool primarily used in malware research and detection. It provides a rule-based approach to create descriptions of malware families based on textual or binary patterns. It’s been called the pattern-matching Swiss Army knife for security researchers .
  • I know the above definition is somewhat difficult to understand… don’t worry I will simplify it for you. I hope you are familiar with the strings utility and grep utility of Linux. So YARASCAN can be considered as a combination of these utilities to find the required results but efficiently and with vast applications. I guess now I gave you somewhat a clear picture of YARASCAN.
  • Volatility a well known digital forensics tool has an inbuilt yarascan plugin to make our life easier! In this blog we are going to focus more on yarascan plugin of volatility, so if you wanna brush up your volatility basics or want to know more about volatility commands you can read it over here

Yarascan basic commands

  • Syntax of *yarascan
volatility -f \<disk image> yarascan -Y "rules/strings"

This is the basic syntax for using yarascan, the syntax will be further modified as per our requirements.

  • Let’s take up an example now! Consider a scenario where you need to find that which sites did the user visited before the disk image was taken. In this case yarascan plugin comes in handy! I don’t have a particular disk image now to explain with some pictures..but don’t worry at last I will provide you with a link to one of my writeups for CTF in which I have used yarascan for the same scenario.

Assumption: Let the process id of google chrome applications used be 1912,2003,3123,1282.( This you can find out with pslist plugin)

So now we know every website will start with HTTP or HTTPS for sure! So in this case, HTTP or HTTPS will be the rules/strings for our yarascan plugin!

How to use this rule with yarascan to solve the given case? Don’t scratch your brain it’s pretty straight forward.

volatility -f \<disk image> --profile=\<suggested profile for disk image> yarascan -Y "http" -p 1912,2003,3123,1282

Smash ENTER and BOOM! you will get a list of all the websites visited by the user.

NOTE: In the rule we have just used “HTTP” because it a substring for “https” so you will get both the HTTP and https websites

  1. Let’s take one more basic example to summarize basic yarascan. What if we want to find a word document that contained some known virus signatures? Again yararule to the rescue!!
volatility -f \<disk image> --profile=\<suggested profile for disk image> yarascan -Y ".doc" --yara-file=virussignatures.yar

In this scenario, the Y flag along with the rule: .doc will find all the word documents present in the disk image! Now you may have some questions cooking in your mind that why are we using another flag --yara-file? As we know that the word document contains some known virus signatures, so we can compile a file with all the known virus signature into .yar file which will make the process easier as it will filter out the word documents that don’t have any virus in it!!

As I promised you.. here is the link for the writeup for the CTF challenge which I solved using yarascan

I hope that I was able to give you a basic idea of yarascan See you in the next article!! Until then be safe from viruses..both from COVID-19 and computer viruses :)

This article is written by Smit Sawant and Peer Reviewed by Saket Upadhyay. To check profile of every writer of FrigidSec-Blog please visit HERE

← Previous Post Next Post