{"id":1402,"date":"2016-04-15T11:04:17","date_gmt":"2016-04-15T11:04:17","guid":{"rendered":"https:\/\/www.bsk-consulting.de\/?p=1402"},"modified":"2022-10-04T18:13:03","modified_gmt":"2022-10-04T16:13:03","slug":"how-to-write-simple-but-sound-yara-rules-part-3","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/","title":{"rendered":"How to Write Simple but Sound Yara Rules \u2013 Part 3"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;4.16&#8243; global_colors_info=&#8221;{}&#8221; da_is_popup=&#8221;off&#8221; da_exit_intent=&#8221;off&#8221; da_has_close=&#8221;on&#8221; da_alt_close=&#8221;off&#8221; da_dark_close=&#8221;off&#8221; da_not_modal=&#8221;on&#8221; da_is_singular=&#8221;off&#8221; da_with_loader=&#8221;off&#8221; da_has_shadow=&#8221;on&#8221; da_disable_devices=&#8221;off|off|off&#8221;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;4.16&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.16&#8243; custom_padding=&#8221;|||&#8221; global_colors_info=&#8221;{}&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.18.0&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]It has been a while since I wrote &#8220;<a href=\"\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\">How to Write Simple but Sound Yara Rules &#8211; Part 2<\/a>&#8220;. Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and yarAnalyzer.<\/p>\n<h1>Binarly<\/h1>\n<p>The most important feature of the upcoming <a href=\"https:\/\/github.com\/Neo23x0\/yarGen\/\" target=\"_blank\" rel=\"noopener noreferrer\">yarGen YARA Rule Generator<\/a> release is the Binarly API integration.<br \/>\nBinarly is a &#8220;binary search engine&#8221; that can search arbitrary byte patterns through the contents of tens of millions of samples, instantly. It allows you to quickly get answers to questions like:<\/p>\n<ul>\n<li>\u201cWhat other files contain this code\/string?\u201d<\/li>\n<li>\u201cCan\u00a0this code\/string be found in clean applications or malware samples?\u201d<\/li>\n<\/ul>\n<p><div id=\"attachment_1464\" style=\"width: 599px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1464\" src=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.43.14.png\" alt=\"Binary Search Engine - Binar.ly\" width=\"589\" height=\"188\" class=\"size-full wp-image-1464\" srcset=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.43.14.png 589w, \/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.43.14-480x153.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 589px, 100vw\" \/><p id=\"caption-attachment-1464\" class=\"wp-caption-text\">Binary Search Engine &#8211; Binar.ly<\/p><\/div><br \/>\nThis means that you can use Binarly to quickly verify the quality of your YARA strings.<br \/>\nFurthermore, Binarly has a YARA file search functionality, which you can use to scan their entire collection (currently at 7.5+ Million PE files, 3.5M clean &#8211; over 6TB) with your rule in a less than a minute.<br \/>\nFor yarGen I integrated their API from <a href=\"https:\/\/github.com\/binarlyhq\/binarly-sdk\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/binarlyhq\/binarly-sdk<\/a>.<br \/>\nIn order to be able to use it you just need an API key that you can get for free if you contact them at <a href=\"mailto:contact@binar.ly\" target=\"_blank\" rel=\"noopener noreferrer\">contact@binar.ly<\/a>. They are looking for researchers interested in testing the service. They limit the requests per day to 10,000 for free accounts &#8211; which is plenty. yarGen uses between 50 and 500 requests per sample during rule generation.<br \/>\nThe following screenshot shows Binarly lookups in yarGen&#8217;s debugging mode. You can see that some of the strings produce a pretty high score. This score is added to the total score, which decides if a string gets included in the final YARA rule. The score generation process from the Binarly results is more complex than it might seem. For example, I had to score samples down that had 3000+ malware but also 1000 goodware matches. The goodware matches have higher weight than the malware matches. A string could have 15.000+ malware matches &#8211; if it also appears in 1000 goodware matches it does not serve as a good YARA rule string. I also handled cases in which small result sets lead to high Binarly scores.<br \/>\n<div id=\"attachment_1456\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1456\" class=\"size-large wp-image-1456\" src=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-12-at-21.03.02.png\" alt=\"Binarly Service Lookup in yarGen 0.16\" width=\"620\" height=\"262\" srcset=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-12-at-21.03.02.png 620w, \/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-12-at-21.03.02-480x203.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 620px, 100vw\" \/><p id=\"caption-attachment-1456\" class=\"wp-caption-text\">Binarly Service Lookup in yarGen 0.16<\/p><\/div><br \/>\nTherefore\u00a0the evaluation method that generates the score of each string has been further improved in the new version 0.16.0 of yarGen. Both the Binarly service and the new yarGen version are still &#8216;testing&#8217;. Do not upgrade your local yarGen installation to v0.16b in cases in which you rely on the rule generation process. Follow <a href=\"https:\/\/twitter.com\/cyb3rOps\" target=\"_blank\" rel=\"noopener noreferrer\">me<\/a> and <a href=\"https:\/\/twitter.com\/danielradu\" target=\"_blank\" rel=\"noopener noreferrer\">Daniel Radu<\/a>\u00a0(Binarly) on twitter to stay up-to-date.<\/p>\n<h1>Improved Rule Generation<\/h1>\n<p>But let&#8217;s talk about the improved rule generation process.<br \/>\nAs described in my previous articles, I try to divide the list of strings generated by yarGen into two different groups:<\/p>\n<ul>\n<li><strong>Highly Specific Strings<\/strong><br \/>\nThese strings include C2 server addresses, mutextes, PDB file names, tool\/malware names (nbtscan.exe, iexp1orer.exe), tool outputs (e.g. keylog text output format), typos in common strings (e.g. &#8220;Micosoft Corporation&#8221;)<\/li>\n<li><strong>Suspicious Strings<\/strong><br \/>\nThese strings look suspicious and uncommon but may appear in some exotic goodware, dictionary libraries or unknown software (e.g. &#8216;\/logos.gif&#8217;, &#8216;&amp;PassWord=&#8217;, &#8216;User-Agent: Mozilla&#8217;\u00a0&gt; I&#8217;ve seen pigs fly &#8211; legitimate software contains the rarest strings)<\/li>\n<\/ul>\n<p>In previous examples I always tended to combine these strings with magic header and file size. yarGen 0.15 and older versions generated those rules by default. The problem with these rules is that they do not detect the malware or tools\u00a0to process memory.<br \/>\nTherefore I changed my rule generation process and adjusted yarGen to follow that example. As I said before, yarGen is not designed to generate perfect rules. Its main purpose is to generate raw rules that require the least effort to complete and could also work without further modification.<br \/>\nThe following image shows how new rules are composed. They contain two main conditions, one for the file detection and one for the in-memory detection. I tried to copy the manual rule generation process as far as possible.<br \/>\n<div id=\"attachment_1459\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1459\" class=\"wp-image-1459 size-large\" src=\"\/wp-content\/uploads\/2016\/04\/YARA_Rule_Comps-1.png\" alt=\"YARA Rule Creation\" width=\"620\" height=\"363\" \/><p id=\"caption-attachment-1459\" class=\"wp-caption-text\">YARA rule composition (manual composition and yarGen v0.16)<\/p><\/div><br \/>\nThe statement to detect files on disk combines the magic header, file size and only one of the highly specific strings OR a set of the suspicious strings.<br \/>\nFor the in-memory detection I omit the magic header and file size. Highly specific strings and suspicious strings are combined with a logical AND.<br \/>\nThe different statements (manual rule creation) look like this:<\/p>\n<pre>\n\/* Detects File on Disk *\/\n( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 4 of ($s*) ) )\nor\n\/* Detects Malware\/Tool in Memory *\/\n( 1 of ($x*) and 4 of ($s*) )\n<\/pre>\n<p>Here is an example of a rule produced by yarGen v0.16 (<a href=\"https:\/\/www.hybrid-analysis.com\/sample\/bfec01b50d32f31b33dccef83e93c43532a884ec148f4229d40cbd9fdc88b1ab?environmentId=1\" target=\"_blank\" rel=\"noopener noreferrer\">sample Unit 78020 - WininetMM.exe<\/a>). I shows a 'raw' rule without further editing and the 'scores' included as comments:<\/p>\n<pre>\nrule WininetMM {\n\tmeta:\n\t\tdescription = \"Auto-generated rule - file WininetMM.exe\"\n\t\tauthor = \"YarGen Rule Generator\"\n\t\treference = \"not set\"\n\t\tdate = \"2016-04-15\"\n\t\thash1 = \"bfec01b50d32f31b33dccef83e93c43532a884ec148f4229d40cbd9fdc88b1ab\"\n\tstrings:\n\t\t$x1 = \".?AVCWinnetSocket@@\" fullword ascii \/* PEStudio Blacklist: strings *\/ \/* score: '40.00' (binarly: 30.0) *\/\n\t\t$x2 = \"DATA_BEGIN:\" fullword ascii \/* PEStudio Blacklist: strings *\/ \/* score: '36.89' (binarly: 27.89) *\/\n\t\t$x3 = \"dMozilla\/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '32.53' (binarly: 5.53) *\/\n\t\t$s4 = \"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '20.00' (binarly: -7.0) *\/\n\t\t$s5 = \"Accept-Encoding:gzip,deflate\/r\/n\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '10.35' (binarly: -1.65) *\/\n\t\t$s6 = \"\/%d%s%d\" fullword ascii \/* score: '10.27' (binarly: 0.27) *\/\n\t\t$s7 = \"%USERPROFILE%\\\\Application Data\\\\Mozilla\\\\Firefox\\\\Profiles\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '9.36' (binarly: -13.64) *\/\n\t\t$s8 = \"Content-Type:application\/x-www-form-urlencoded\/r\/n\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '5.61' (binarly: -9.39) *\/\n\t\t$s9 = \".?AVCMyTlntTrans@@\" fullword ascii \/* score: '5.00' *\/\n\tcondition:\n\t\t( uint16(0) == 0x5a4d and filesize < 300KB and ( 1 of ($x*) and all of ($s*) ) ) or ( all of them )\n}\n<\/pre>\n<p>You may ask \"Why do the 'DATA_BEGINS:' and '.?AVCWinnetSocket@@' do have such high scores\"? Well, that's the reason why analysts needs the support of big data:<br \/>\n<img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.51.40.png\" alt=\"Screen Shot 2016-04-15 at 12.51.40\" width=\"620\" height=\"221\" class=\"alignnone size-large wp-image-1468\" srcset=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.51.40.png 620w, \/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.51.40-480x171.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 620px, 100vw\" \/><br \/>\n<img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.52.01.png\" alt=\"Screen Shot 2016-04-15 at 12.52.01\" width=\"620\" height=\"203\" class=\"alignnone size-large wp-image-1469\" srcset=\"\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.52.01.png 620w, \/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.52.01-480x157.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 620px, 100vw\" \/><br \/>\nI have to add that Binarly offers two query modes (fast\/exact) of which yarGen uses the 'fast' mode. An analyst that doubts the produced results would use 'exact' query mode to verify the results manually. Please ask Daniel about the details.<\/p>\n<h1>yarAnalyzer - Inventory Generation<\/h1>\n<p>The new version of <a href=\"https:\/\/github.com\/Neo23x0\/yarAnalyzer\/\" target=\"_blank\" rel=\"noopener noreferrer\">yarAnalyzer<\/a> allows to generate an inventory of your YARA rule sets. This features comes in very handy in cases in which you have to handle a big set of rules. The '--inventory' option generates a CSV file that can be prettied up in MS Excel or Openoffice Calc.<br \/>\n<div id=\"attachment_1453\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1453\" class=\"size-large wp-image-1453\" src=\"\/wp-content\/uploads\/2016\/04\/yarAnalyzer.jpg\" alt=\"YARA Rule Analyzer\" width=\"620\" height=\"390\" \/><p id=\"caption-attachment-1453\" class=\"wp-caption-text\">yarAnalyzer Inventory<\/p><\/div>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It has been a while since I wrote &#8220;How to Write Simple but Sound Yara Rules &#8211; Part 2&#8221;. Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and yarAnalyzer. Binarly The most important feature of the upcoming yarGen YARA Rule Generator release is the Binarly API integration. Binarly is a &#8220;binary search engine&#8221; that can search arbitrary byte patterns through the contents of tens of millions of samples, instantly. It allows you to quickly get answers to questions like: \u201cWhat other files contain this code\/string?\u201d \u201cCan\u00a0this code\/string be found in clean applications or malware samples?\u201d This means that you can use Binarly to quickly verify the quality of your YARA strings. Furthermore, Binarly has a YARA file search functionality, which you can use to scan their entire collection (currently at 7.5+ Million PE files, 3.5M clean &#8211; over 6TB) with your rule in a less than a minute. For yarGen I integrated their API from https:\/\/github.com\/binarlyhq\/binarly-sdk. In order to be able to use it you just need an API key that you can get for free if you contact them [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"It has been a while since I wrote \"<a href=\"https:\/\/www.bsk-consulting.de\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\">How to Write Simple but Sound Yara Rules - Part 2<\/a>\". Since then I changed my rule creation method to generate more versatile rules that can also be used for in-memory detection. Furthermore new features were added to yarGen and yarAnalyzer.\r\n<h1>Binarly<\/h1>\r\nThe most important feature of the upcoming <a href=\"https:\/\/github.com\/Neo23x0\/yarGen\/\" target=\"_blank\" rel=\"noopener noreferrer\">yarGen YARA Rule Generator<\/a> release is the Binarly API integration.\r\nBinarly is a \"binary search engine\" that can search arbitrary byte patterns through the contents of tens of millions of samples, instantly. It allows you to quickly get answers to questions like:\r\n<ul>\r\n\t<li>\u201cWhat other files contain this code\/string?\u201d<\/li>\r\n\t<li>\u201cCan\u00a0this code\/string be found in clean applications or malware samples?\u201d<\/li>\r\n<\/ul>\r\n[caption id=\"attachment_1464\" align=\"alignnone\" width=\"589\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.43.14.png\" rel=\"attachment wp-att-1464\"><img src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.43.14.png\" alt=\"Binary Search Engine - Binar.ly\" width=\"589\" height=\"188\" class=\"size-full wp-image-1464\" \/><\/a> Binary Search Engine - Binar.ly[\/caption]\r\nThis means that you can use Binarly to quickly verify the quality of your YARA strings.\r\nFurthermore, Binarly has a YARA file search functionality, which you can use to scan their entire collection (currently at 7.5+ Million PE files, 3.5M clean - over 6TB) with your rule in a less than a minute.\r\nFor yarGen I integrated their API from <a href=\"https:\/\/github.com\/binarlyhq\/binarly-sdk\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/github.com\/binarlyhq\/binarly-sdk<\/a>.\r\nIn order to be able to use it you just need an API key that you can get for free if you contact them at <a href=\"mailto:contact@binar.ly\" target=\"_blank\" rel=\"noopener noreferrer\">contact@binar.ly<\/a>. They are looking for researchers interested in testing the service. They limit the requests per day to 10,000 for free accounts - which is plenty. yarGen uses between 50 and 500 requests per sample during rule generation.\r\nThe following screenshot shows Binarly lookups in yarGen's debugging mode. You can see that some of the strings produce a pretty high score. This score is added to the total score, which decides if a string gets included in the final YARA rule. The score generation process from the Binarly results is more complex than it might seem. For example, I had to score samples down that had 3000+ malware but also 1000 goodware matches. The goodware matches have higher weight than the malware matches. A string could have 15.000+ malware matches - if it also appears in 1000 goodware matches it does not serve as a good YARA rule string. I also handled cases in which small result sets lead to high Binarly scores.\r\n[caption id=\"attachment_1456\" align=\"alignnone\" width=\"620\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-12-at-21.03.02.png\" rel=\"attachment wp-att-1456\"><img class=\"size-large wp-image-1456\" src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-12-at-21.03.02-620x262.png\" alt=\"Binarly Service Lookup in yarGen 0.16\" width=\"620\" height=\"262\" \/><\/a> Binarly Service Lookup in yarGen 0.16[\/caption]\r\nTherefore\u00a0the evaluation method that generates the score of each string has been further improved in the new version 0.16.0 of yarGen. Both the Binarly service and the new yarGen version are still 'testing'. Do not upgrade your local yarGen installation to v0.16b in cases in which you rely on the rule generation process. Follow <a href=\"https:\/\/twitter.com\/cyb3rOps\" target=\"_blank\" rel=\"noopener noreferrer\">me<\/a> and <a href=\"https:\/\/twitter.com\/danielradu\" target=\"_blank\" rel=\"noopener noreferrer\">Daniel Radu<\/a>\u00a0(Binarly) on twitter to stay up-to-date.\r\n<h1>Improved Rule Generation<\/h1>\r\nBut let's talk about the improved rule generation process.\r\nAs described in my previous articles, I try to divide the list of strings generated by yarGen into two different groups:\r\n<ul>\r\n\t<li><strong>Highly Specific Strings<\/strong>\r\nThese strings include C2 server addresses, mutextes, PDB file names, tool\/malware names (nbtscan.exe, iexp1orer.exe), tool outputs (e.g. keylog text output format), typos in common strings (e.g. \"Micosoft Corporation\")<\/li>\r\n\t<li><strong>Suspicious Strings<\/strong>\r\nThese strings look suspicious and uncommon but may appear in some exotic goodware, dictionary libraries or unknown software (e.g. '\/logos.gif', '&PassWord=', 'User-Agent: Mozilla'\u00a0> I've seen pigs fly - legitimate software contains the rarest strings)<\/li>\r\n<\/ul>\r\nIn previous examples I always tended to combine these strings with magic header and file size. yarGen 0.15 and older versions generated those rules by default. The problem with these rules is that they do not detect the malware or tools\u00a0to process memory.\r\nTherefore I changed my rule generation process and adjusted yarGen to follow that example. As I said before, yarGen is not designed to generate perfect rules. Its main purpose is to generate raw rules that require the least effort to complete and could also work without further modification.\r\nThe following image shows how new rules are composed. They contain two main conditions, one for the file detection and one for the in-memory detection. I tried to copy the manual rule generation process as far as possible.\r\n[caption id=\"attachment_1459\" align=\"alignnone\" width=\"620\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/YARA_Rule_Comps-1.png\"><img class=\"wp-image-1459 size-large\" src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/YARA_Rule_Comps-1-620x363.png\" alt=\"YARA Rule Creation\" width=\"620\" height=\"363\" \/><\/a> YARA rule composition (manual composition and yarGen v0.16)[\/caption]\r\nThe statement to detect files on disk combines the magic header, file size and only one of the highly specific strings OR a set of the suspicious strings.\r\nFor the in-memory detection I omit the magic header and file size. Highly specific strings and suspicious strings are combined with a logical AND.\r\nThe different statements (manual rule creation) look like this:\r\n[cc lang=\"javascript\"]\r\n\/* Detects File on Disk *\/\r\n( uint16(0) == 0x5a4d and filesize < 100KB and ( 1 of ($x*) or 4 of ($s*) ) )\r\nor\r\n\/* Detects Malware\/Tool in Memory *\/\r\n( 1 of ($x*) and 4 of ($s*) )\r\n[\/cc]\r\nHere is an example of a rule produced by yarGen v0.16 (<a href=\"https:\/\/www.hybrid-analysis.com\/sample\/bfec01b50d32f31b33dccef83e93c43532a884ec148f4229d40cbd9fdc88b1ab?environmentId=1\" target=\"_blank\" rel=\"noopener noreferrer\">sample Unit 78020 - WininetMM.exe<\/a>). I shows a 'raw' rule without further editing and the 'scores' included as comments:\r\n[cc lang=\"javascript\"]\r\nrule WininetMM {\r\n\tmeta:\r\n\t\tdescription = \"Auto-generated rule - file WininetMM.exe\"\r\n\t\tauthor = \"YarGen Rule Generator\"\r\n\t\treference = \"not set\"\r\n\t\tdate = \"2016-04-15\"\r\n\t\thash1 = \"bfec01b50d32f31b33dccef83e93c43532a884ec148f4229d40cbd9fdc88b1ab\"\r\n\tstrings:\r\n\t\t$x1 = \".?AVCWinnetSocket@@\" fullword ascii \/* PEStudio Blacklist: strings *\/ \/* score: '40.00' (binarly: 30.0) *\/\r\n\t\t$x2 = \"DATA_BEGIN:\" fullword ascii \/* PEStudio Blacklist: strings *\/ \/* score: '36.89' (binarly: 27.89) *\/\r\n\t\t$x3 = \"dMozilla\/4.0 (compatible; MSIE 6.0;Windows NT 5.0; .NET CLR 1.1.4322)\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '32.53' (binarly: 5.53) *\/\r\n\t\t$s4 = \"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '20.00' (binarly: -7.0) *\/\r\n\t\t$s5 = \"Accept-Encoding:gzip,deflate\/r\/n\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '10.35' (binarly: -1.65) *\/\r\n\t\t$s6 = \"\/%d%s%d\" fullword ascii \/* score: '10.27' (binarly: 0.27) *\/\r\n\t\t$s7 = \"%USERPROFILE%\\Application Data\\Mozilla\\Firefox\\Profiles\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '9.36' (binarly: -13.64) *\/\r\n\t\t$s8 = \"Content-Type:application\/x-www-form-urlencoded\/r\/n\" fullword wide \/* PEStudio Blacklist: strings *\/ \/* score: '5.61' (binarly: -9.39) *\/\r\n\t\t$s9 = \".?AVCMyTlntTrans@@\" fullword ascii \/* score: '5.00' *\/\r\n\tcondition:\r\n\t\t( uint16(0) == 0x5a4d and filesize < 300KB and ( 1 of ($x*) and all of ($s*) ) ) or ( all of them )\r\n}\r\n[\/cc]\r\nYou may ask \"Why do the 'DATA_BEGINS:' and '.?AVCWinnetSocket@@' do have such high scores\"? Well, that's the reason why analysts needs the support of big data:\r\n<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.51.40.png\" rel=\"attachment wp-att-1468\"><img src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.51.40-620x221.png\" alt=\"Screen Shot 2016-04-15 at 12.51.40\" width=\"620\" height=\"221\" class=\"alignnone size-large wp-image-1468\" \/><\/a>\r\n<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.52.01.png\" rel=\"attachment wp-att-1469\"><img src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/Screen-Shot-2016-04-15-at-12.52.01-620x203.png\" alt=\"Screen Shot 2016-04-15 at 12.52.01\" width=\"620\" height=\"203\" class=\"alignnone size-large wp-image-1469\" \/><\/a>\r\nI have to add that Binarly offers two query modes (fast\/exact) of which yarGen uses the 'fast' mode. An analyst that doubts the produced results would use 'exact' query mode to verify the results manually. Please ask Daniel about the details.\r\n<h1>yarAnalyzer - Inventory Generation<\/h1>\r\nThe new version of <a href=\"https:\/\/github.com\/Neo23x0\/yarAnalyzer\/\" target=\"_blank\" rel=\"noopener noreferrer\">yarAnalyzer<\/a> allows to generate an inventory of your YARA rule sets. This features comes in very handy in cases in which you have to handle a big set of rules. The '--inventory' option generates a CSV file that can be prettied up in MS Excel or Openoffice Calc.\r\n[caption id=\"attachment_1453\" align=\"alignnone\" width=\"620\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/yarAnalyzer.jpg\" rel=\"attachment wp-att-1453\"><img class=\"size-large wp-image-1453\" src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2016\/04\/yarAnalyzer-620x390.jpg\" alt=\"YARA Rule Analyzer\" width=\"620\" height=\"390\" \/><\/a> yarAnalyzer Inventory[\/caption]","_et_gb_content_width":"","footnotes":""},"categories":[264,269,47],"tags":[528,13,256,259,300,529,97,124,62,137,48,530],"class_list":["post-1402","post","type-post","status-publish","format-standard","hentry","category-tool","category-tutorial","category-yara","tag-binarly","tag-detection","tag-erkennen","tag-ids","tag-intrusion-detection","tag-ips","tag-loki","tag-malware","tag-rules","tag-tool","tag-yara","tag-yargen"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Write Simple but Sound Yara Rules \u2013 Part 3 - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"How to Write Simple but Sound Yara Rules \u2013 Part 3\",\"datePublished\":\"2016-04-15T11:04:17+00:00\",\"dateModified\":\"2022-10-04T16:13:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/\"},\"wordCount\":1073,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"binarly\",\"detection\",\"erkennen\",\"ids\",\"intrusion detection\",\"ips\",\"loki\",\"malware\",\"Rules\",\"tool\",\"YARA\",\"yargen\"],\"articleSection\":[\"Tool\",\"Tutorial\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/\",\"name\":\"How to Write Simple but Sound Yara Rules \u2013 Part 3 - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2016-04-15T11:04:17+00:00\",\"dateModified\":\"2022-10-04T16:13:03+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Write Simple but Sound Yara Rules \u2013 Part 3 - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"How to Write Simple but Sound Yara Rules \u2013 Part 3","datePublished":"2016-04-15T11:04:17+00:00","dateModified":"2022-10-04T16:13:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/"},"wordCount":1073,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["binarly","detection","erkennen","ids","intrusion detection","ips","loki","malware","Rules","tool","YARA","yargen"],"articleSection":["Tool","Tutorial","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/","url":"https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/","name":"How to Write Simple but Sound Yara Rules \u2013 Part 3 - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2016-04-15T11:04:17+00:00","dateModified":"2022-10-04T16:13:03+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2016\/04\/15\/how-to-write-simple-but-sound-yara-rules-part-3\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=1402"}],"version-history":[{"count":7,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1402\/revisions"}],"predecessor-version":[{"id":14693,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/1402\/revisions\/14693"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=1402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=1402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=1402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}