Professional Documents
Culture Documents
Above ss shows malicious strings in pony stealer since it is changing registries. Next up writing
rule for yara. Here is the screenshot of the rule I wrote for pony stealer’s malware:
To run the rule on a specific malicious executable file, use the following command:
“yara32 -r <rulefile. yara> <malware.exe>”
If the conditions from the above screenshot are met the rule should be triggered as shown in the
screenshot below:
As you can see that the rule has been triggered for the malware I wrote it for.
The same things can be done for the 2nd malware. We need to check the strings using -a flag
(ascii strings), writing rules on those strings and executing the rules file against the malware the
rule has been written for.
Adware Malware:
Strings extracted:
The malicious strings I found for this malware are shown in the screenshot above which I used
for writing rules as shown in the screenshot below:
As you can see in the screenshot above that the rule has been triggered against the malicious
adware file as well.
The next task is using flare to check for all the malicious strings in the given file.
You can see in the screenshot that the output file has been created and as it can be seen in the
screenshot below, malicious strings for pony stealer has been written:
You can see the malicious strings like “Destroy Window” has been shown in the output file.
Task # 03: Using yarGen to create Rule files.
After downloading the zip file from the GitHub I created a python http server and uploaded the
zip file on it. Similarly, I download the database file for yarGen manually and uploaded it on the
same server and downloaded both of the files in flare using the http server as shown in the
screenshot below.
Then replace the downloaded database file in the “dbs” folder in yarGen’s folder.
Then just follow the command on the GitHub’s repository as shown in the screenshot below:
Installing requirements file using following command:
“Pip install -r requirements.txt”
You can use the “dir” command to show the newly created yarGen_rules.yara file as shown in
the screenshot below:
Now move to the destination folder and open the file using notepad or any other editor. You can
see the rules created by yarGen in the screenshot below:
This shows how we can write yara rules for malwares by ourselves as well as the automatic
generation of rules using yarGen.