4. yarGen

yarGen

Some of the files might not get detected by Loki. So Sometimes We need to create a Yara rule to detect this specific file in our environment.

We can manually open the file and attempt to sift through lines upon lines of code to find possible strings that can be used in our newly created Yara rule.

wc tool

Find the lines of a particular file: wc -l file

yarGen is a generator for YARA rules.

yarGen tool

“The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.”

To use yarGen to generate a Yara rule for file 2, you can run the following command:

python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar 

A brief explanation of the parameters above:

• -m is the path to the files you want to generate rules for
• --excludegood force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)
• -o location & name you want to output the Yara rule

Another tool created to assist with this is called yarAnalyzer tool created by Florian Roth)

Further Reading on creating Yara rules and using yarGen:

• https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/
• https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/
• https://www.bsk-consulting.de/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/