How to get started

Welcome to EMYAC - the Extensive Malware YARA Accuracy Competition. Here, you'll learn how to write effective YARA rules to detect malware families across real sample sets. Follow this guide to get started.

What is YARA?

YARA is a tool used to identify and classify malware based on textual or binary patterns. It helps reverse engineers and threat analysts detect malware by creating custom rules based on known indicators.

YARA-X is the modern, performance-focused evolution of YARA, with improved capabilities and architecture.

YARA Documentation | YARA-X GitHub

1. Choose a Malware Family

Select a malware family you're interested in learning about. You’ll be given access to a subset of sample files associated with that malware.

Tip: Start with simpler families like AgentTesla or Formbook before tackling more advanced ones like CobaltStrike.

3. Download the Samples

After selecting a family, download the samples. Each challenge will provide a curated collection of binaries for analysis.

Important: These are real malware samples. Read the next step carefully.

4. Consume Malware Responsibly

Always work in a secure environment. Use virtual machines or sandboxes such as:

Tip: Use a snapshot feature to reset your environment quickly between tests.

5. Write Your YARA Signature

Now it's time to craft your YARA rule. Focus on creating strong, relevant conditions based on strings, hex patterns, file sizes, or imported functions.

Malware Village would like to publish the most effective rules on GitHub to give back to the community.

Add an author tag meta: author = "yourname" to be credited.

6. Test Your Rule

Begin by testing your rule on your local system to ensure your rule matches all samples.

yara your_rule.yar /path/to/samples

Check which files were matched and adjust your rule to improve it.

Tip: You can use the "-s" option to display the strings your YARA rule matched on.

yara your_rule.yar /path/to/samples -s

7. Submit Your Rule

Once you’re happy with your results, submit your rule for scoring. You'll get feedback on detection accuracy, precision, recall, rule performance and the exact number of false positives/false negatives.

8. Tune for Accuracy

Use the feedback to refine your rule:

False Positives: Your rule matches unrelated files.
False Negatives: Your rule misses some samples it should detect.
Metrics: Pay attention to the difference between accuracy, precision and recall.

Learn more about precision and recall

Tip: A good rule is specific, efficient, and avoids overfitting to one sample.

You’re Ready to Begin

Dive in, learn through doing, and sharpen your skills in writing YARA rules. Your progress and results will be reflected in the leaderboard and scoring system.

Happy Hunting!

Credits

This competition would not be possible without Lena, creator of Malmons, and the whole Malware Village team. Infrastructure was kindly provided by GITC and samples are courtesy of vxunderground and VirusTotal.