Wafaray – Enhance Your Malware Detection With WAF + YARA (WAFARAY)

WAFARAY is a LAB deployment based on Debian 11.3.0 (stable) x64 made and cooked between two main ingredients WAF + YARA to detect malicious files (e.g. webshells, virus, malware, binaries) typically through web functions (upload files). Purpose In essence, the main idea came to use WAF + YARA (YARA right-to-left = ARAY) to detect maliciousRead More

MSI Dump – A Tool That Analyzes Malicious MSI Installation Packages, Extracts Files, Streams, Binary Data And Incorporates YARA Scanner

MSI Dump – a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. On Macro-enabled Office documents we can quickly use oletools mraptor to determine whether document is malicious. If we want to dissect it further, we could bring in oletools olevba or oledump. To dissect malicious MSIRead More

Yaralyzer – Visually Inspect And Force Decode YARA And Regex Matches Found In Both Binary And Text Data, With Colors

Visually inspect all of the regex matches (and their sexier, more cloak and dagger cousins, the YARA matches) found in binary data and/or text. See what happens when you force various character encodings upon those matched bytes. With colors. Quick Start pipx install yaralyzer# Scan against YARA definitions in a file:yaralyze –yara-rules /secret/vault/sigmunds_malware_rules.yara lacan_buys_the_dip.pdf# ScanRead More

Factual-Rules-Generator – An Open Source Project Which Aims To Generate YARA Rules About Installed Software From A Machine

Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a running operating system. The goal of the software is to be able to use a set of rules against collected or acquired digital forensic evidences and find installed software in a timely fashion. The software can be usedRead More

Halogen – Automatically Create YARA Rules From Malicious Documents

Halogen is a tool to automate the creation of yara rules against image files embedded within a malicious document. Halogen help python3 halogen.py -husage: halogen.py [-h] [-f FILE] [-d DIR] [-n NAME] [–png-idat] [–jpg-sos]Halogen: Automatically create yara rules based on images embedded in officedocuments.optional arguments: -h, –help show this help message and exit -f FILE,Read More

Kraken – Cross-platform Yara Scanner Written In Go

Kraken is a simple cross-platform Yara scanner that can be built for Windows, Mac, FreeBSD and Linux. It is primarily intended for incident response, research and ad-hoc detections (not for endpoint protection). Following are the core features: Scan running executables and memory of running processes with provided Yara rules (leveraging go-yara). Scan executables installed forRead More

YARASAFE – Automatic Binary Function Similarity Checks with Yara

SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli L., Di Luna G.A., Petroni F., Querzoni L. and Baldoni R. You can use SAFE to create your function embedding to use inside yara rules.If you are interested take a look at our research paper: https://arxiv.org/abs/1811.05296If you are using this for yourRead More