In this lab, we first analyzed the njrat malware file. We used the strings command to see the malicous Windows API's that are inside the file. This allowed us to take the malicious API commands and use them to write a YARA rule. The YARA rule confirmed for us that the njrat file is indeed a malware file by checking 10 of the strings written out in the rule.
Next, we used 7 different YARA rules and scanned a directory containing 33 different types of malware files. By scanning these malware samples using these 7 yara rules we were able to identify the number of malware samples detected by each yara rule. We used a bar graph to better illustrate our results.
Lastly, we were assigned our specific malware file and used VirusTotal to investigate this malware file. We provided information on the following: Hashes - md5, sha1sum, sha256sum, Yara rule, Common Windows API used, Network communication, Persistence mechanism, Imported DLLs (Dynamically Loaded Libraries), Dropped files , and DNS info. We proceeded to break down each of the suspicious activities and provide research on each one.
Overall, this lab allowed us to learn how to create a yara rule, investigate different types of malware files, and lastly further investigate the different aspects of malware files.