Create a file on vulnerable Server

count sequences of printable characters with the minimum length of 7

strings --bytes=7 sample.exe | wc -l

Rule to detect cmd.exe

offset.yar

rule cmd_rule
{
    strings:
       $s = "cmd.exe /c \"%s\""

    condition:
       $s
}

sudo yara /home/student/Desktop/rules/offset.yar . -s

Rule to identify PE file type

pe.yar

rule IsPeFile {
	strings:
		$mz = "MZ"

	condition:
		$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}

Rule to detect maleware in PE Files

Generate Rule from Strings

generate_rule.sh

#!/bin/bash

echo "rule mw_rule" > /home/student/Desktop/rules/malware.yar
echo "{" >> /home/student/Desktop/rules/malware.yar

echo "  strings:" >> /home/student/Desktop/rules/malware.yar
count=1
while read s; do
  p=${s//\"/\\\"}
  echo "    \$s$count = \"$p\" fullword ascii" >> /home/student/Desktop/rules/malware.yar
  count=$((count+1))
done </home/student/Desktop/intel/strings.txt

echo "" >> /home/student/Desktop/rules/malware.yar

echo "  condition:" >> /home/student/Desktop/rules/malware.yar
echo "    any of them and" >> /home/student/Desktop/rules/malware.yar
echo "    uint16(0) == 0x5A4D and" >> /home/student/Desktop/rules/malware.yar
echo "    uint32(uint32(0x3C)) == 0x4550" >> /home/student/Desktop/rules/malware.yar

echo "}" >> /home/student/Desktop/rules/malware.yar

Final Rule

malware.yar –> generated, but left only relevant string

rule mw_rule {

strings:
  $s176 = "cmd.exe /c \"%s\"" fullword ascii

condition:
  $s176 and
  uint16(0) == 0x5A4D and
  uint32(uint32(0x3C)) == 0x4550

}

yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s