Advent Of Cyber 3 - Day 21
When analyzing files, it can be handy to verify them agains a couple of antivirus engines as well as other available tools that can analyze the behaviour.
Yara is a tool where the community can commit rules they’ve created for known malware, which helps the blueteam to know what to look for.
recommended github repo: awesome-yara
recommended THM room for playing around with yara more: yara-room
We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the ‘and’ with, in order for the rule to still hit the file?
What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?
What section contains information about the author of the Yara rule?
What option is used to print only rules that did not hit?
Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?