⚠️ Pracivo Security Lab — All samples are COMPLETELY SAFE text files. No real malware. For learning static analysis techniques only.
> Writing YARA Rules
# YARA rules match patterns in files to identify malware families
# Basic rule structure:
rule FakeRansomware {
meta:
description = "Detects ransomware by common strings"
author = "Pracivo Lab"
strings:
$s1 = "DeleteShadowCopies" nocase
$s2 = "YOUR FILES HAVE BEEN ENCRYPTED"
$s3 = "bitcoin" nocase
$url = /https?:\/\/[a-z0-9]{8,}\.onion/ // Tor URL pattern
condition:
2 of them
}
# Rule for detecting RAT by imports:
rule SuspiciousRAT {
strings:
$api1 = "CreateRemoteThread"
$api2 = "VirtualAllocEx"
$api3 = "WriteProcessMemory"
$api4 = "GetAsyncKeyState"
condition:
3 of ($api*)
}
# Run a YARA rule against a file:
yara myrule.yar suspicious_file.exe
# Scan a whole directory:
yara -r myrule.yar C:\suspected\malware\
# Practice: write a YARA rule that matches the sample files in this lab
# Hint: look for the C2 IP addresses and API function names in the samples