2

I have found a malware binary, Which i am curious to see what patterns has been found from this file. Also i have a collection of ~1000 ioc's and yara-rule's related to Malwares and RAT's. I used Loki, yara-gui, The yara64 (i don't remember the link source) itself and some other tools but non of them are capable of scanning multiple rule's against a single file. Already written a simple python code (It scan multiple times, Not complicated) and it is so slow and messy:

import os

rules = raw_input("Rules Folder: ")
mal = raw_input("Malicious File: ")
paths = [os.path.join(rules,fn) for fn in next(os.walk(rules))[2]]

for i in range(0,len(paths)):
    os.system('yara64.exe "'+paths[i]+'" "'+mal+'" --no-warnings -f -e -m >> output.txt')

So how do you scan your sample against multiple yara-rule's? Any specific or public(free/paid) tool or script which is efficient?

0_o
  • 1,142
  • 1
  • 9
  • 19

1 Answers1

1

YARA allows you to specify multiple rules files to be used (as the latest version).

yara64.exe path/rule/file1 path/rule/file2 path/rule/file3 malwareFile

I don't know what the limit to the number of rule file paths you can specify is in a single YARA invocation, but this should make it considerably easier to script.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • Nice, This is in the newer version. But again we have to write a script to do it multiple times. – 0_o Oct 29 '18 at 07:16
  • 1
    I don't think there's a perfect solution, but this may speed up your execution 10x-100x. – Daisetsu Oct 29 '18 at 07:28