ABSTRACT

This lab focuses on writing rules in yara to test

malicious files, using Floss to check for malicious
strings in a file and yarGen to automatically write
a file.
Muhammad HUZAIFA
20I-0604
YARA SCRIPTING
Lab # 09
Contents
Task # 01: Yara Scripting ............................................................................................................... 2
Pony Stealer Malware: ................................................................................................................ 2
Adware Malware:........................................................................................................................ 3
Task # 02: Using Floss .................................................................................................................... 3
Pony Stealer Malware: ................................................................................................................ 3
Adware Malware:........................................................................................................................ 4
Task # 03: Using yarGen to create Rule files ................................................................................. 5
 Task # 01: Yara Scripting

Pony Stealer Malware:

Using strings command to check for strings that can be used for writing rules in yara file. Use the
following command to check for ascii strings in the malware file:
“strings -a <malware.exe>”

Above ss shows malicious strings in pony stealer since it is changing registries. Next up writing
rule for yara. Here is the screenshot of the rule I wrote for pony stealer’s malware:

To run the rule on a specific malicious executable file, use the following command:
“yara32 -r <rulefile. yara> <malware.exe>”
If the conditions from the above screenshot are met the rule should be triggered as shown in the
screenshot below:

As you can see that the rule has been triggered for the malware I wrote it for.
The same things can be done for the 2nd malware. We need to check the strings using -a flag
(ascii strings), writing rules on those strings and executing the rules file against the malware the
rule has been written for.
Adware Malware:
Strings extracted:

The malicious strings I found for this malware are shown in the screenshot above which I used
for writing rules as shown in the screenshot below:

Executing the rule file against adware malware:

As you can see in the screenshot above that the rule has been triggered against the malicious
adware file as well.
The next task is using flare to check for all the malicious strings in the given file.

Task # 02: Using Floss

Pony Stealer Malware:

Using floss for extracting malicious is an easy task. You just need to use the following command
to get the output against a specific malware:
“floss <malware.exe> > output.txt”
Then you can either use ‘type’ command or open the text file in notepad to show the file’s
content.

You can see in the screenshot that the output file has been created and as it can be seen in the
screenshot below, malicious strings for pony stealer has been written:

Use the same command for adware malware as well.

Adware Malware:
Use the following command to get the malicious strings file for malware adware as well:
“floss <adware.exe> > adware.txt”
Output file:

You can see the malicious strings like “Destroy Window” has been shown in the output file.
Task # 03: Using yarGen to create Rule files.

After downloading the zip file from the GitHub I created a python http server and uploaded the
zip file on it. Similarly, I download the database file for yarGen manually and uploaded it on the
same server and downloaded both of the files in flare using the http server as shown in the
screenshot below.
Then replace the downloaded database file in the “dbs” folder in yarGen’s folder.
Then just follow the command on the GitHub’s repository as shown in the screenshot below:
Installing requirements file using following command:
“Pip install -r requirements.txt”

Update the python file using command : “python yarGen.py --update”

After running this command its time to complete the task. Use the following command in order
to create the rule file as shown in the screenshot below:

You can use the “dir” command to show the newly created yarGen_rules.yara file as shown in
the screenshot below:

Now move to the destination folder and open the file using notepad or any other editor. You can
see the rules created by yarGen in the screenshot below:
This shows how we can write yara rules for malwares by ourselves as well as the automatic
generation of rules using yarGen.