# Yara

YARA is a powerful swiss army knife of pattern matching.

<https://virustotal.github.io/yara/>

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension

Yara Documentation: <https://yara.readthedocs.io/en/stable/>

This tool can be used to match patterns and recurse through a file system.

I will walk through how to solve all of these using this one tool!

Download the 4.0.2 version:

<https://github.com/virustotal/yara/releases/tag/v4.0.2>

On my instance I needed the vc\_redist.x64.exe for c++ installed also:

### How to run a YARA rule

&#x20;

yara \[OPTIONS] RULES\_FILE TARGET

&#x20;

Call the executable ./yara64.exe or ./yara32.exe

Put in the options you want

\-          r to recurse

\-          s for string match

\-          c count

\-          i=\<identifier> for only that identifier

Name of the .yar file you will search for

Name of folder/file to start the search at

## Level 1

### Scenario

Santa had a backlog of toys that needed to be made, so he had to put his crew of elves to work. He assigned each elf randomly three items to make and handed them a piece of paper, but he forgot to write down the totals for toys that he assigned them. You have been tasked with creating an inventory.

#### Question 1

Can you tell Santa how many Dominoes that were made?

Here is the .yar file to find the dominoes

**YARA Rule**

```
rule Dominoes
{
    strings:
            $dominoes = "Dominoes" nocase wide
    condition:
            any of them
}
```

&#x20;

This file will search for anything that matches “Dominoes”

nocase = case insensitive

wide = The wide modifier can be used to search for strings encoded with two bytes per character, something typical in many executable binaries.

Calling this file to run:

```
.\yara64.exe -r .\q1.yar .\
```

Output:

![](/files/uqaewr8uRpF7zbiTY0pf)

The great thing about YARA is that it tells you the files that an item is located at!

![](/files/Jm1HgdOkXSElEhNdZROR)

#### Question 2

Santa needs a total count of Sound toys that were made. How many Sound toys got made?

You can also search with hex!

Here is a rule file using hex to find all the Sound toys:

**YARA Rule**

```
rule sound
{
    strings:
        $sound = { 53 00 6f 00 75 00 6e 00 64 }
    condition:
        any of them
}
```

This is the HEX for Sound and the \x00 between the characters is the same as the wide function above (I am still unsure as to why these are requiring this but it returns what we want)

Calling the rule to scan the items:

```
.\yara64.exe -r .\q2.yar .\
```

![](/files/i0wWKwEq0R9lT2nY8xEj)

To count the occurrences | measure can answer that:

.\yara64.exe -r .\q2.yar .\\|measure

![](/files/3Qc102wzcMMlsIhK937j)

![](/files/s11XBZtYb3EjI7LXYLZt)

#### Question 3

One of Santa's favorite toys is a toy train, how many Toy Trains were made?

You can also have multiple strings that you may want to match, and you can use the condition to force a match of 1 or more strings.

Here is a YARA file that will require the matching of two strings:

**YARA Rule**

```
rule train
{
   strings:
      $train1 = "toy" nocase wide
      $train2 = "train" nocase wide
    condition:
      2 of ($train*)
}
```

This will look for the string toy and train and the condition that must be met is the matching of both strings to be considered true.

![](/files/Akj6ATOZF1jHvaHFwz5C)

You and add the -s option to show the strings that were matched:

![](/files/28AQIEnTSTcu2BfTy8dO)

Here we see all the \x00 in between all the characters, you could replace them in the pipeline if you wanted to hide them.

.\yara64.exe -rs .\q3.yar .\\|%{$\_ -replace "\\\x00",""}

![](/files/8hz5y0fNuuXNhklgtKoL)

![](/files/IoPIomXTi2T9vI6lcyJU)

We can see that toy gets matched twice in this file but train only one time but since both are matched then we have a true condition.

### Level 2

#### Scenario

Santa outsourced this list making ability to head elf, Peppermint Candy, but her ability to spell seems off. Can you help Santa Make use of her notes to the elves?

This time around the files seem to have lots of extra characters we will have to hunt through.

![](/files/XeoGGp6IfyGSZG8b8ibn)

Do you see a pattern?

You should see that the vowels have been randomly modified with extra character substitutions

Substitutions are 1-3 before and/or after the vowel of the extra characters

A – @

E - !

I - 1

O – ()

U - n

#### Question 4

Santa was hoping for lots of small toy to cut out of control costs, how many Shopkins were made?

We need to make rules that will find the strings with any of the variations.

We need to be able to find sh()()()o()()()pk111i111ns for this. So, the following rule will allow us to find that with regular expressions.

\*- 0 or more instances

+- 1 or more instances

**YARA Rule**

```
rule shopkins
{
    strings:
        $shopkin = /sh\(*\)*\(*\)*\(*\)*o\(*\)*\(*\)*\(*\)*pk1*i1*ns/ nocase wide
    condition:
        any of them
}
```

.\yara64.exe -r .\q4.yar .\elves\_level2\\

![](/files/ZVVMFmPkMO1oHN6lGvDG)

.\yara64.exe -rs .\q4.yar .\elves\_level2\\

![](/files/PuEzQPrACq933tlURSv7)

.\yara64.exe -rs .\q4.yar .\elves\_level2\ | %{$\_ -replace "\\\x00",""}

![](/files/YE87c9Kv0mvJLGcvC8Lt)

![](/files/pXVHJKFgjbxKJLJZnw5c)

#### Question 5

Santa wants kids these days to be creative, how many Creative toys got made?

So, this time we have creative toys we are looking to match.

We need to match Cr!!e!!@@a@@t11i11v!!e!!

**YARA Rule**

```
rule creative
{
    strings:
            $creative = /cr!*e!*@*a@*t1*i1*v!*e!*/ nocase wide
    condition:
            any of them
}
```

&#x20;

![](/files/7ShYpK45LjnxPNyeiVPS)

![](/files/rygNg9jJzcXdmID60ceK)

![](/files/3HzTVPvG0RT10bF6oaG1)

![](/files/tnjBqxyaWcG7qPC1tVGM)

In case you missed it, we had one of the elves have 2 Creative toys:

![](/files/fTdIGYZI0t0xNbLxaZLM)

![](/files/6nYn4M41yv4PV8dxqywR)

The measure did not take into effect the double match so we had to add 1 to our answer.

#### Question 6

One of Santa's favorite toys to keep his calm is a Fidget Spinner, how many Fidget Spinner were made?

**YARA Rule**

```
rule fidget
{
    strings:
          $fidget = /f1*i1*dg!*e!*t sp1*i1*nn!*e!*r/ nocase wide
    condition:
          any of them
}
```

![](/files/yDNmaLJHrUZuGiQzjSkZ)

![](/files/CEt2fF0Bkooi4ONiStRn)

**Stay Tuned For Levels 3/4**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jtone2k8.gitbook.io/ctf-write-ups/tool/yara.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.