Yara on Tryhackme

This is the write up for the room Yara on Tryhackme and it is part of the Tryhackme Cyber Defense Path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment

Tasks Yara on Tryhackme

Task 1

Read all that is in the task and press complete

Task 2

2.1 What is the name of the base-16 numbering system that Yara can detect?

Answer: HEX

2.2 Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Answer: Yay

Task 3

Install Yara on your device by typing in

sudo apt install yara

Press complete when installation is complete

Task 4

Start the machine attached to this task

Connect to the machine using SSH

SSH cmnatic@MACHINE_IP -p 22

Task 5

Read and follow along with the task. Press complete when done

Task 6

Read all that is in the task and take a look at the cheat sheet Security Infographics. I often do infographics to share… | by Thomas Roccia | BlackFr0g | Medium

Press complete when doen

Task 7

Read all that is in the task and press complete

Task 8

Read all that is in the task and press complete

Task 9

We are still connected with ssh to the machine. Use the followin gcommand

cd /tools/Loki

9.1 Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

type in the following command to start the scan

python loki.py -p ~/suspicious-files/file1/

Answer suspicious

9.2 What Yara rule did it match on?

Answer: webshell_metaslsoft

9.3 What does Loki classify this file as?

Answer: Web shell

9.4 Based on the output, what string within the Yara rule did it match on?

Answer: Str1

9.5 What is the name and version of this hack tool?

Answer b374k 2.2

9.6 Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Answer: 1

9.7 Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

When still in the Loki directory type in the following

sudo python loki.py -p ~/suspicious-files/file2/

Answer: benign

9.8 Inspect file 2. What is the name and version of this web shell?

The file is located in ~/suspicious-files/file2

It is to big to cat the file so type in the following

head -n 20 1ndex.php

This will give us the first 20 lines of the file

Answer: b374k 3.2.3

Task 10

Navigate to

cd ~/tools/yarGen

Type in the following to generate the yar file

python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar

10.1 From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

Answer: yara file2.yar file2/1ndex.php

10.2 Did Yara rule flag file 2? (Yay/Nay)

Answer: Yay

10.3 Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

Answer: Yay

10.4 Copy the Yara rule you created into the Loki signatures directory.

Type in the following command

cp file2.yar ~/tools/Loki/signature-base/yara

10.5 Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

The trick here is to point it to the directory not the file

Running the command

sudo python ~/tools/Loki/loki.py -p ~/suspicious-files/file2

Answer: Yay

10.6 What is the name of the variable for the string that it matched on?

Looking at the screenshot

Answer: Zepto

10.7 Inspect the Yara rule, how many strings were generated?

Type in the command

cat ~/suspicious-files/file2.yar

We see 20 rules

Answer: 20

10.8 One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

Looking at the condition

Answer: 700kb

Task 11

Navigate to Valhalla YARA Rules – Valhalla (nextron-systems.com)

For this task we need to copy the files to our machine over ssh

scp username@hostname:/path/to/remote/file /path/to/local/file

scp -r cmnatic@10.10.91.178:~/suspicious-files/file1/ ~/Downloads
scp -r cmnatic@10.10.91.178:~/suspicious-files/file2/ ~/Downloads

11.1 Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

The has file was revealed with loki

python ~/tools/Loki/loki.py -p ~/suspicious-files/file1

Copy this hash into the Query in Valhalla YARA Rules – Valhalla (nextron-systems.com)

Answer: Yay

11.2 Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Get the hash

python ~/tools/Loki/loki.py -p ~/suspicious-files/file2

Copy this hash into the Query in Valhalla YARA Rules – Valhalla (nextron-systems.com)

Answer: Webshell_b374k_rule1

11.3 Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Go to then copy the hash into the search

Press enter and Navigate to the Community tab

Answer: THOR APT Scanner

11.4 Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Answer: Nay

11.5 Besides .PHP, what other extension is recorded for this file?

Found on the details Tab under names

Answer: exe

11.6 Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)

Answer 2021/3

11.7 What JavaScript library is used by file 2?

Go to the github and see the code of index.php

Answer: zepto

11.8 Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

Answer Nay

And this conclude Yara on tryhackme