Our Scenarios

Malware Analysis using YARA


This scenario serves as a guide on how to create Yara Signatures for Malware Detection YARA is a tool designed to help malware researchers identify and classify malware samples. It’s been called the pattern-matching Swiss Army knife for security researchers (and everyone else). It is multi platform and can be used from both its command-line interface or through your own Python scripts.

The tool allows you to conduct signature-based detection of malware, something similar to what antivirus solutions can do for you.

Disclaimer! This scenario is based on content from REal0day and Koen Van Impe

Based on the original content, we have improved on it as follows:

  1. Availed a virtual environment with an assessment to help you practice.
  2. Updated the content to match the current context.

What you will learn

  1. Rule Identifiers
  2. Yara Keywords
  3. Strings
    a. Hexadecimal
    b. Text Strings
    c. String Modifiers
    d. Regular Expression
    e. Sets of strings
    f. Anonymous strings
  4. Conditions
    a. Boolean
    b. Counting string instances
    c. String offsets or virtual addresses
    d. Match Length
    e. File size
    f. Executable entry_point
    g. Accessing data at a given position
    h. Applying one condition across many strings
    i. Iterating over string occurrences
  5. Referencing other rules
  6. Yara Essentials
    a. Global Rules
    b. Private Rules
    c. Rule tags
    d. Metadata
    e. Using Modules
    f. Undefined values
    g. External/Argument Values
    h. Including Files

Technical Details

There really aren’t too many skills required for this. The deeper you understand malware analysis and reverse engineering, the more capable you’ll be at finding unique ways to catch malware. But this won’t hinder you from writing amazing yara rules. Most of the rules I’ve seen are pretty basic. Most look like a python script that took 5 minutes to write. The skill and detail comes in the analysis. Not in the actual yara rule itself.

  • GNU Linux
  • Familiar with C syntax (not required, but useful)
  • Regex (not required, but useful)