Malware Journey Day 36

Yara Rules

It is just pattern matching based on rules

A Yara engine would just match the contents

Normally in a yara file I would look for bytes like

$s1 = {90 00 03 00 04 00 .......}

Perhaps this is an obfuscated MZ header

For malware samples I found this to work very well for banker samples

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

YARA - The pattern matching swiss knife for malware researchers

Overall this blog was meant to be short since I really just needed to get the idea of what yara rules are used for and how to start using them against executables.

Due to my masters starting soon, blogging on malware will unfortunately be cut short.