YARA rules

YARA stands for - Yet Another Ridiculous Acronym. It is one of the most powerful threat hunting and detection opensource tool. It takes a rule file and detects malware based on those rules.

	yara

	yara64

Example syntax-

Example.yara

rule Yara_example { 

	meta:
		description = "Yara example"
		author = "PMAT"
		date = "2021-10-15"
	strings:
		$string1="YOURTHEMANNOWDOG" ascii
		$string2="nim"
		$PE_magic_byte = "MZ"
		$sus_hex_string={ FF E4 ?? 00 FF}
	condition:
		$PE_magic_byte at 0 and
		($string1 or $string2) or
		$sus_hex_string
}

Command used-

	yara example.yara Malware.yara1.exe.malz -w -p 32

-p gives the threads-w suppresses warnings

A malware has been detected.

Add the -s flag to know which part of the rule triggered the result.

	yara example.yara Malware.yara1.exe.malz -s -w -p 32

The $string2 variable triggered the result. To recursively search in the current working directory, use . instead of the file name.

	yara example.yara . -w -p 32

For any other directory , use the directory location and -r flag instead of . .

	yara example.yara -r C:\ -w -p 32

Use // in the rule to add comments.

PreviousReversing Csharp And DotNET Framework NextAutomating Malware Analysis

Last updated 9 months ago