Skip to main content
HashnodeUntitled Publication

Command Palette

Search for a command to run...

YARA - TryHackMe Write-up

Published
3 min read
YARA - TryHackMe Write-up
B
b1gsh4d0w
Part of seriesTryHackMe Write-ups

Info

  • Name: Yara
  • Description: Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!
  • Difficulty: Easy
  • Room link: https://tryhackme.com/room/yara

Write-up

Task 2

Q: What is the name of the base-16 numbering system that Yara can detect?

A: Hex

Q: Would the text "Enter your Name" be a string in an application? (Yay/Nay)

A: Yay

Task 9

Q: Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

A: suspicious

t9_1.png

Q: What Yara rule did it match on?

A: webshell_metaslsoft

t9_2.png

Q: What does Loki classify this file as?

A: Web Shell

t9_3.png

Q: Based on the output, what string within the Yara rule did it match on?

A: Str1

t9_4.png

Q: What is the name and version of this hack tool?

A: b374k 2.2

t9_5.png

Q: Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

A: 1

t9_6.png

Q: Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

A: benign

t9_7.png

Q: Inspect file 2. What is the name and version of this web shell?

A: b374k 3.2.3

t9_8.png

Task 10

Q: From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

A: yara file2.yar file2/1ndex.php

Q: Did Yara rule flag file 2? (Yay/Nay)

A: Yay

t10_2.png

Q: Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

A: Yay

t10_4.png

Q: What is the name of the variable for the string that it matched on?

A: Zepto

t10_5.png

Q: Inspect the Yara rule, how many strings were generated?

A: 20

t10_6.png

Q: One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

A: 700KB

t10_7.png

Task 11

Q: Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

A: Yay

Q: Do the same for file 2. What is the name of the first Yara rule to detect file 2?

A: Webshell_b374k_rule1

t11_2.png

Q: Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

A: THOR APT Scanner

t11_3.png

Q: Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

A: Nay

t11_4.png

Q: Besides .PHP, what other extension is recorded for this file?

A: exe

t11_5.png

Q: What JavaScript library is used by file 2?

A: Zepto

t11_6.png

Q: Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

A: Nay

#tryhackme#write-up#loki#yara#valhalla

Comments

Join the discussion

No comments yet. Be the first to comment.

TryHackMe Write-ups

Part 2 of 20

In this series is where I post all the write-ups of the rooms I do in the TryHackMe website.

Up next

MITRE - TryHackMe Write-up

Info Name: MITRE Description: This room will discuss the various resources MITRE has made available for the cybersecurity community. Difficulty: Medium Room link: https://tryhackme.com/room/mitre Write-up Task 3 Q: Besides blue teamers, who else wi...

More from this blog

Untitled Publication

21 posts