Add to collection(s) Add to saved
  1. No category
Uploaded by d1vrjl6wih

LAB 7

advertisement 
Lahore Garrison University
Malware Detection and Analysis
LAB ASSIGNMENT
LAB 7 YARA RULES
Submitted to:
Mam Shaheera
Submitted by:
Muhammad Usman Ali
FA-19/BS DFCS/043
Task 1. BASIC RULES (LAB_01)
Step 1: Start the lab, following desktop will open up.
Step 2: Navigate to C:\Users\PMAT\Desktop\PMAT-labs-main\labs\5-2.RuleWriting
Similar files will be Visible.
Step 3: Right click on Malware.yara1.exe.malz.7z .Click on Extract Files. And following file
will be extracted:
Step 4: We will be using the IOCs we collected in Lab_01 to find all of the five samples
that were examined. Let's start by writing a rule for Malware.yara1.exe.malz with the
following details:
•
•
•
•
•
Importing the hash library to check for hashes
Write the general rule syntax: rule name, meta, strings, and condition sections
Add the metadate wanted (optional): rule description, author, and date
Strings to search for: MZ magic number
Condition to search for string at offset 0 and locate based on file hash (MD5)
Step 5: Now we can move on and run YARA to check if our rule is working correctly
without any compilation errors. This can be done as shown in Figure below.
Task 2. RULES AND PE IMPORTS (LAB_02)
Step 6: We will use the same approach of defining what we need and then move on to
the rule itself.
Let us start by defining our rule requirements:
•
•
•
•
•
Start with all details of Malware.yara1.exe.malz
Import the PE module to do PE checks
Define all the strings that are needed to be searched for
Add the appropriate conditions to check for these strings
Add the appropriate conditions to check for libraries imported with specific
functions being referenced
Step 7: Now we can move on and run YARA to check if our rule is working correctly
without any compilation errors. This can be done as shown in Figure below
Task 3. ADVANCED PE RULES (LAB_03)
Step 8: Same approach as before: define our needs and then move on to the rule itself.
In Lab 3, we had only one sample "Lab3_1.exe," which was packed, so after unpacking it,
we had a second sample (also found in the directory for this lab). Therefore, we need to
write a rule for the packed version and another rule for the unpacked version.
Let us start with a rule for the packed version. Begin by defining our rule requirements:
•
•
•
•
•
Start with all details of Malware.yara1.exe.malz
Import the PE module to do PE checks
Import the Math module to check for the file's entropy
This rule we will focus on PE details, there will be no strings
Add the appropriate conditions to check for:
a. Referenced functions from specific libraries
b. Number of sections
c. Sections with raw size of zero
Step 9: Now we can move on and run YARA to check if our rule is working correctly
without any compilation errors. This can be done as shown in Figure below
Related documents
The format for Informal email (Form 4)
The format for Informal email (Form 4)
COIS 1020 - Lab 6
COIS 1020 - Lab 6
PDFfiller - near miss reporting form
PDFfiller - near miss reporting form
Homework Assignment Number 6 due Friday October 8
Homework Assignment Number 6 due Friday October 8
ppt
ppt
alert analysis using NIST framework
alert analysis using NIST framework
Download
advertisement