Skip to content
/ my_yara_rules Public

A repository with the yara rules that I've been using for improving my yara skills and hunting malware.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

aleprada/my_yara_rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
android
android
 
 
apt_rules
apt_rules
 
 
exploits
exploits
 
 
ransomware_rules
ransomware_rules
 
 
trojan_rules
trojan_rules
 
 
.gitignore
.gitignore
 
 
.yara-ci.yml
.yara-ci.yml
 
 
README.md
README.md
 
 

Repository files navigation

My Yara rules

This repository contains some yara rules that I've created for analysing different well-known malware. I will try to add more rules from time to time.

The repository is divided in 3 categories:

  • APT
  • Ransomware
  • Trojans

Methodology

The rules have been created following the Florian Roth methodology described in the article "How to write Simple but Sound Yara rules": Part 1 and Part2. According to Florian, the majority of Yara rules shared on the Internet generate a lot of false positives. Besides, a high percentage rules are too specific to match on more that one sample.

To solve this, the author of the articles proposes to check all the strings and to put them into at least 2 different categories of the following list:

  • Very specific strings = hard indicators for a malicious sample
  • Rare strings = likely that they do not appear in goodware samples, but possible
  • Strings that look common = (Optional) e.g. yarGen output strings that do not seem to be specific but didn’t appear in the goodware string database.

About

A repository with the yara rules that I've been using for improving my yara skills and hunting malware.

Topics

yara yara-rules

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages