Task 1: Scan for Infection
- Copy the provided file HiWorld.zip to the Downloads folder in the Windows 10 VM.
- Right-click the file HiWorld.zip, and select Extract Here.
- In your Windows 10 VM, search for Windows PowerShell in the search bar and run it as an administrator.
- Click Yes for the request to make changes.
- Use cd C:\Users<user>\Downloads\clamav-0.102.2-win-x86-pertable\ to navigate to the ClamAV directory.
- Use the command ./clamscan.exe -v C:\Users<user>\Downloads\HiWorld.exe to scan the executable.
- Copy the provided file HxDSetup.zip to the Downloads folder in the Windows 10 VM.
- Right-click the file HxDSetup.zip, and select Extract Here.
- Double-click the file HxDSetup to begin the installation of the HxD hex editor. When asked for permission to make changes, click Yes.
- Select the English language and click OK.
- Click Next in the first setup page.
- Accept the agreement and click Next.
- Select the installation destination and click Next.
- In the Start Menu Folder Selection window, don’t change anything and click Next.
- Select Create a desktop shortcut and click Next.
- Deselect both options, and click Finish.
Task 3: Creating a YARA Rule
- Open the Downloads folder and run the executable HiWorld.exe.
- From the displayed content, which words can potentially be used for the creation of the YARA rule?
- There are many options to choose from. For example, "Hello Class!" can be used, or "Create a YARA rule", and many others.
- Double-click HxD to start it.
- Click File, and select Open…
- Navigate to the Downloads folder, select the executable HiWorld.exe, and click Open.
- Press Ctrl + f, type "Create a YARA rule", select the search direction All, and click OK.
- Note that the searched text is highlighted. Right-click its hex values, and select Copy.
- In the file, write the following text (replace with the copied value):
rule HiWorld
{
strings:
$text_string = "Create a YARA rule"
$hex_string = { <hex> }
condition:
$text_string or $hex_string
}
- Click File and select Save As.
- Navigate to Downloads \clamav-0.102.2-win-x86-portable \database and save the file with the name hiworld.yar.
- Note: Make sure to have file extension enabled
- In PowerShell, execute the following command to scan the executable HiWorld.exe.:
./clamscan.exe -v C:\Users\<user>\Downloads\HiWorld.exe
- Note that the scan marked the file as infected
- Use the command again but with the flag –remove:
./clamscan.exe -v C:\Users\<user>\Downloads\HiWorld.exe --remove
- This will automatically remove the infected file
- Go to the Downloads directory and verify that the file was removed.