LetsDefend — YARA Rule Challenge Walkthrough
An introduction to YARA rules using Notepad++, IDA, and Hybrid Analysis
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a detailed guide of the YARA Rule challenge from LetsDefend, you’re in the right place.
For those unfamiliar with YARA rules, this challenge provides an excellent introduction. Before diving in, let’s quickly cover what YARA is based on the information from the project’s GitHub.
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
Put another way, YARA rules are written to identify malware based on matching specific content within a sample. For this challenge, we’ll examine a YARA rule in Notepad++ to understand the parts of a rule. Then, we’ll apply the rule’s logic to search for matching strings within a malware binary using IDA. Finally, we’ll pivot to Hybrid Analysis to search the submissions data with the rule and identify matching samples. Sounds like fun, right? Let’s get into it!
And if you find this walkthrough helpful — whether it levels-up your skills, gets you over a stumbling block, or serves as a handy reference — please give it a clap and consider following me for more content like this.
Thanks for reading and going on this investigation with me!
Challenge Link: https://app.letsdefend.io/challenge/yara-rule
Challenge Scenario:
Welcome to the YARA Rules Challenge! This exercise is designed to introduce you to the basics of YARA rules and how they work.
File Location-1: C:\Users\LetsDefend\Desktop\ChallengeFiles\sample.7z
File Location-2: C:\Users\LetsDefend\Desktop\ChallengeFiles\sample.yara
Question 1: What is the name of this YARA rule?
Let’s jump right into the action! The ChallengeFiles folder contains two files: sample.yara and sample.7z.
We’ll use both files during the challenge but let’s focus first on examining sample.yara. Remember, YARA Rules are written to identify malware based on matching content within the sample. So, let’s open sample.yara using a text editor like Notepad++ and see what’s inside.
To answer Question 1 we’ll start out easy, looking for the rule identifier. According the YARA documentation, “each rule in YARA starts with the keyword rule followed by a rule identifier”.
Question 2: What is the name of the author of this YARA rule?
To answer Question 2, refer to the meta section of the rule, which contains details about the rule itself such as the author, description, and purpose of the rule.
Question 3: What is the extension of the encrypted file?
For Question 3, we need to identify the extension added by the GwisinLocker ransomware that the YARA rule is targeting. We can find this information in the strings section of the rule, specifically in the $ext variable.
According to the YARA documentation,
“The strings definition section is where the strings that will be part of the rule are defined. Each string has an identifier consisting of a $ character followed by a sequence of alphanumeric characters and underscores, these identifiers can be used in the condition section to refer to the corresponding string. Strings can be defined in text or hexadecimal form…”
Question 4: What is the assembly instruction that stores the $hex opcode in the YARA rule?
Now that we’ve gotten some understanding of the YARA rule, it’s time to pivot to the second file within the ChallengeFiles folder, sample.7z.
Extract the sample from the archive using the password from the challenge description which leaves us with a binary to analyze.
We’re going to perform some static analysis to locate information in the binary targeted by the YARA rule, specifically the opcode stored within the $hex variable of the strings section. Copy the hex string, we’ll need it for the next steps.
To perform the analysis on the binary, we’re going to use IDA, a powerful disassembler that will let us peek into the code. Don’t worry, you don’t need to be a coding expert (I’m definitely not!) to make use of the tool.
IDA is already installed and available for use from the Tools folder of the LetsDefend analysis environment. Go ahead and launch it. Once it opens, drag the extracted sample into the window to load it using the default options.
The first thing we’ll do to find the answer is leverage IDA’s search function to look for the matching sequence of bytes. In the Binary search window, paste the string we copied from the YARA rule into the search box, select find all occurrences, and press OK.
Bingo! We found the information we’re looking for. The instruction stores the opcode in the rax register.
Question 5: What is the address that we can find with $hex opcode with the IDA tool?
Our previous search also located the information needed for Question 5 under the Address column, so we’re already halfway to the answer!
Pay attention to the requested answer format: 0x0000 — that doesn’t look exactly like what we see in IDA does it?
No problem! The question is looking for the hexadecimal notation, so we just need to perform a simple conversion. Strip off the leading zeroes used for padding (it doesn’t change the value) and then add the “0x,” prefix to indicate that the number is in the hex format. For example, 0000000000003B51 becomes 0x3B51 .
Question 6: What is the name of the function that has $cde2?
Now that we have learned how to use the search function in IDA, answering Question 6 is much more familiar. We’ll repeat the binary search process like we did in Question 4, but this time we’ll search for the string stored in the $cde2 variable of the YARA rule.
This search will lead us to the function start_routine in the results.
Question 7: What is the file signature in the YARA rule?
To answer Question 7, let’s jump back over to the YARA rule and focus on the condition section at the bottom to determine the file signature. In a YARA rule, this section is where the logic of the rule is defined.
What we’re looking for is the uint32(0) value, which represents the file signature value of the binary. This condition identifies specific file types.
Question 8: Hunt on a hybrid-analysis site with Yara rules. What is the “threat level” of the sample timestamped September 1, 2022, 16:11:41 (UTC)?
Okay, we’ve made it to the last question! For our final task, let’s gather some threat intelligence about the malware. While we could copy the hash1 value from the meta section of the rule, let’s try something a bit different.
Navigate to the Hybrid Analysis website, click the Yara Search tab, then press Advanced Search.
Next, copy the rule from the LetsDefend analysis environment, and paste it into the Advanced Search (YARA) window.
Now for the cool part! Hybrid Analysis will hunt their submissions database and present samples matching the YARA rule! This is a handy and flexible method for applying YARA rules to hunt public submissions on Hybrid Analysis. Once we retrieve the results, we need to match the date/time stamp requested in the question.
Hybrid Analysis has assessed the threat of this binary as malicious. Awesome job navigating this challenge! Let’s wrap this up.
Conclusion:
There we have it! That was an excellent introduction to YARA Rules. During this challenge, we manually analyzed a rule to understand who wrote it and what strings it searches for. Then, we dove into IDA to analyze the malware binary and confirm a match manually. Then, we leveraged the rule on Hybrid Analysis to hunt for matching samples. With our objectives complete, let’s close out this walkthrough of the YARA Rule challenge!
Another big thank you to LetsDefend for continuing to provide these engaging labs. I chose this challenge because, while I’ve been vaguely aware of YARA rules, I’ve never had the occasion to use them in my day job. This was a great opportunity to learn more and start turning the gears on how these powerful rules can quickly identify threats — mission accomplished! I was pleasantly surprised that there was a reverse engineering component to this lab, as I hadn’t had a chance to try IDA before— very cool! My favorite part was hunting on Hybrid Analysis with the YARA rule. I’ve visited that site countless times but never knew that feature existed. It just goes to show that in this field, you will learn a dozen new things a day.
Thanks for the support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
YARA GitHub: https://virustotal.github.io/yara/
YARA Docs: https://yara.readthedocs.io/en/latest/writingrules.html
IDA: https://hex-rays.com/ida-free
Hybrid Analysis: https://www.hybrid-analysis.com/yara-search/results/5d48cfcb207cbe9e9cfeefebc3284c5e05d6dbc433455bc2540e68b3c937b9bc
