Introduction to YARA rules

1. Introduction to
YARA Rules
By: Akshay Jain
Twitter: Akshayjain890

2. YARA Rules in a Nutshell
Yara is an open source tool utilised by malware researcher to identify
malware and to setup patterns that identify families of malware based on
rules.
It supports multiple platforms , running on Linux, Windows and Mac OS, it
can be used through command line or python scripts.
These rules consist of a set of strings and expression which identifies the
pattern, YARA rules can be used to perform signature based- detection of
malwares.
YARA rules are easy to write and understand, they have similar structure
that looks like c language and it has predefined words in creating YARA
rules

3. YARA keywords
YARA rules start with the word rule and follows by an identifier name, the
following keywords cant be used as an identifier as they have special
meaning in YARA rules

4. Strings
YARA Rules are commonly made out of two things: String
definition and condition.
String definition: The strings section is where you declare a variable
and set the rules. Each variable is indicated using the $ sign
followed by the variable name consist of alphanumeric characters
and underscores and it is case sensitive.
String in YARA can be classified in to three types and they are
• Hexadecimal Strings.
• Text strings
• Regular expressions

5. Hexadecimal Strings
Rules can be set in form of Hexadecimal strings which will match
hexadecimal characters in the sample file. Some of the methods used are as
follow:
• Wildcard: This is represented by a ‘?’ and it indicates that some bytes in the
strings is unknown and should match anything
$hex_example={ B1 B2 ?? B4}
Result: {B1 B2 B3 B4}
• Jumps: In circumstance when we know the values of pattern but their
length varies then we can use jump example:
$jump_example={ 81 12 [2-4] 24 } this indicates that any arbitrary sequence
from 2 bytes to 3 bytes can occupy the sequence
Result: { 81 12 3 24 }

6. • Infinite: YARA is capable to detect infinite hex value in a strings
Infinte_example={ FE 18 [2-] 89 45 }
{ FE 18 [ - ] 89 45 }
Result: { FE 18 66 89 45 }
• Conditional:You can create 1 to as many statements to provide
different alternative for the hex fragment.
Conditional_example={ F4 23 ( 62 B4 | 56 ) 45 }
Result: { F4 23 62 B4 45 }
{ F4 23 62 56 45 }

7. Lets add up every thing
Rule rabbithole
{
Strings:
$rule1= { F4 23 [-] (62 45 | 56) [20-40] }
CONDITION:
$rule1
}

8. Text Strings
Text strings: Text strings are in form of ASCII text which is then
matched up with the condition set. This section also contain further
types
• Case Sensitive Strings
Example= $case_example= “test”
• Case Insensitive String
Example=$nocase_example= “test” nocase
• Wide character string:
Example=$wide_example=“test” wide
The wide modifiers can be used to search for strings encoded with
2 bytes per char

9. • Fullword: This modifier guarantees that the string will match only
if it appears in the file delimited by non-alphanumeric characters.
Example: $shadow1= “zebra.com” fullword

10. Condition and Meta
Condition: The condition section is used to express what you want your
rule to detect. This is done by writing an expressing using logical
operator, the condition must include all the strings.
It contains a Boolean expression that determine the result. It contains all
the usual logical and relational operator. You can also include another
rule as part of your condition
Meta: Metadata can be added to help identify the files that were picked
up by a certain rule. The metadata identifier are always followed by an
equal sign and the set value. The assigned values can be strings integer
or a Boolean value.

11. Counting strings
Counting strings: YARA rules can allow us to count how many times a string
have occurred in the file or process memory. The number of
occurrences of each string is represented by a variable whose
name is same as the string identifier with a ‘#’ instead of $
character.
• rule Count_Example
{
strings:
$a = “remote" $b = “string2"
condition:
#a == 6 and #b > 10
}

12. Virtual address
String identifier is used to check if the given rule is associated to
any string in the file or sample, we can also detect the string is
present at certain address with in the address space. The at operator
is used to check if the string is at some specific offset.
• Example: rule Count_Example
{
strings:
$a = “string1"
$b = “string2"
condition:
#a at 50 and #b at 10
}

13. Set of strings and file size
We can check certain number of strings from rule are present from a given list we can
use of operator.
Filesize: The filesize is used to check the file size of a given file or sample.
• Example
Rule HTB
{
strings:
$m1 = “nest”
$m2 = “sniper"
$m3 = “Book“
condition: 2 of ($m1,$m2,$m3) and filesize < 10000KB
}

14. Demo

15. Reference:
• https://0x00sec.org/t/tutorial-creating-yara-signatures-for-malware-
detection/5453
• https://github.com/Neo23x0/signaturease/blob/master/yara/crime_wannacry.yar
• https://www.vmray.com/analyses/wannacry-ransomware/report/yara.html
• https://blog.claroty.com/leveraging-yara-rules-for-early-malware-detection

17. Contact:
LinkedIn: https://www.linkedin.com/in/akshay-
jain-533a79111/
EMail: jraiv02@gmail.com