Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/uppusaikiran/yara-finder
Simple tool to find the yara matches on a file
https://github.com/uppusaikiran/yara-finder
malware malware-analysis malware-analyzer yara yara-rules
Last synced: 15 days ago
JSON representation
Simple tool to find the yara matches on a file
- Host: GitHub
- URL: https://github.com/uppusaikiran/yara-finder
- Owner: uppusaikiran
- License: mit
- Created: 2018-08-22T06:52:09.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2018-08-27T18:44:11.000Z (over 6 years ago)
- Last Synced: 2024-08-08T09:38:27.067Z (4 months ago)
- Topics: malware, malware-analysis, malware-analyzer, yara, yara-rules
- Language: Python
- Size: 1.42 MB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGES.rst
- License: LICENSE.txt
- Authors: AUTHORS.rst
Awesome Lists containing this project
- awesome-yara - Yara Finder
- awesome-malware-analysis - Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion. (Detection and Classification / Other Resources)
- fucking-awesome-malware-analysis - Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion. (Detection and Classification / Other Resources)
README
# Yara-Finder
A simple tool to yara match the file against various yara rules to find the indicators of suspicion.# Usage:
### Clone the Repo and install and run the command `pip install -r requirements.txt`
```
admin@cuckoo /tmp % git clone [email protected]:uppusaikiran/yara-finder.git
Cloning into 'yara-finder'...
remote: Counting objects: 577, done.
remote: Compressing objects: 100% (533/533), done.
remote: Total 577 (delta 46), reused 567 (delta 36), pack-reused 0
Receiving objects: 100% (577/577), 1.43 MiB | 580.00 KiB/s, done.
Resolving deltas: 100% (46/46), done.
Checking connectivity... done.
admin@cuckoo /tmp % cd yara-finder
admin@cuckoo /tmp/yara-finder
% pip install -r requirements.txt```
### To the Run the program```
admin@cuckoo /tmp/yara-finder
% python app.py
Compiling rules from /tmp/yara-finder/rules
* Running on http://0.0.0.0:7777/ (Press CTRL+C to quit)```
#### Here the App will be listening.Now we can submit the files to get the yara_matches.
```
admin@cuckoo /tmp/yara-finder/tests
% curl -X POST -F [email protected] http://0.0.0.0:7777/yara
{
"match": [
"domain",
"Big_Numbers1",
"multiple_versions",
"url",
"contentis_base64",
"multiple_versions",
"Big_Numbers1"
],
"status": "success"
}```
### use case for malicious sample```
curl -X POST -F file=@e336f967802da8342f724d56dadb1e54200840f681927ba6b3d0a5a1dab3e3c2 http://0.0.0.0:7777/yara
{
"match": [
"domain",
"anti_dbg",
"win_mutex",
"win_registry",
"win_files_operation",
"VC8_Microsoft_Corporation",
"Microsoft_Visual_Cpp_8",
"IsPE32",
"IsWindowsGUI",
"HasDebugData",
"HasRichSignature",
"Advapi_Hash_API",
"BASE64_table",
"maldoc_find_kernel32_base_method_1",
"VC8_Microsoft_Corporation",
"Microsoft_Visual_Cpp_8",
"anti_dbg",
"win_mutex",
"win_registry",
"win_files_operation",
"IsPE32",
"IsWindowsGUI",
"HasDebugData",
"HasRichSignature",
"System_Tools",
"Dropper_Strings",
"Misc_Suspicious_Strings",
"contentis_base64",
"maldoc_find_kernel32_base_method_1",
"Advapi_Hash_API",
"BASE64_table"
],
"status": "success"
}
```## Docker Usage:
```
docker pull uppusaikiran/yara-finder
docker run -p 7777:7777 --rm -it yara-finder
admin@cuckoo /tmp/yara-finder/tests
% curl -X POST -F [email protected] http://0.0.0.0:7777/yara
{
"match": [
"domain",
"Big_Numbers1",
"multiple_versions",
"url",
"contentis_base64",
"multiple_versions",
"Big_Numbers1"
],
"status": "success"
}
```## Features:
* Easy to Deploy and simple to use.
* Ability to extend the yara rules with custom and third-party rules simply adding them in the rules folder.
* Uses multiple layered scanning for finding yara matches including zip file extraction,applying yara on internal files as well.
* Frequent Yara-rules updation to the repo.## Credits
* Built on yara_scan written by @tylerha97