Yara

Introduction

Yara is a tool to help malware researchers to identify and classify malware samples.

Basic rule

import "elf"
import "hash"

rule Example {
    meta:
        author = "xanhacks"
        description = "Check for the 'malware' string, ELF (x86_64), checksum, ..."

    strings:
        $malware = "malware" nocase

    condition:
        $malware and filesize < 200KB
        and elf.machine == elf.EM_X86_64
        and hash.sha256(0, filesize) == "4672c9c4de661309db41c93aa8ad7f24afdb68db51068cee588050eaf7bf67d7"
}

Run yara

$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Try `--help` for more options

$ yara basic.yara malware
Example malware

Modules

You can use modules, like PE, ELF, Hash, Math, ...

Related tools

• Loki : Scanner for Simple Indicators of Compromise.
• yarGen : yarGen is a generator for YARA rules.