Code Snippets YARA

Short texts YARA 🧑‍💻 Code snippets YARA ✍️ Reading lists YARA 👀

IDDQD – Godmode YARA Rule

/* _____ __ __ ___ __ / ___/__ ___/ / / |/ /__ ___/ /__ / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/ \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ \ / __ |/ , _/ __ | / […]

YARA rule that matches MS HWC signed KmdfLibrary driver PE binaries without Product resource info, like the NetFilter rootkit.

import “vt” rule ms_hwc_sig_kmdf_driver_no_prod_info { meta: license = “4-Clause BSD” strings: $ms_hwc_serial = { 33 00 00 00 B5 21 3F CA 1E 4A A0 3D E4 00 00 00 00 00 B5 } $kmdf_library = “KmdfLibrary” nocase wide ascii $prod_name = “ProductName” wide $prod_ver = “ProductVersion” wide condition: vt.metadata.new_file and uint16(0) == 0x5a4d and […]

YARA Rule for identifying FritzFrog malware

rule FritzFrog { meta: description = “Detect FritzFrog malware” author = “Naman Arora” date = “2021-04-27” hash = “001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859” strings: $debug = “/home/nignog/development/” nocase ascii $elf = { 7F 45 4C 46 } condition: $elf at 0 and filesize < 10MB and $debug }