Yara signatures

Malcat is tightly integrated with Yara and features a powerful Yara editor / browser. Currently, Malcat embeds Yara version 4.2.1 with the PE, dotnet and ELF modules enabled. If you want to make the most of your Yara rules inside Malcat, you’ll need to follow a couple of guidelines though, that will be explained in this chapter.

Importing a ruleset split in multiple files

You can add your own Yara rules to Malcat by either using the integrated editor (cf. Adding a rule) or by directly adding Yara files (*.yar or *.yara) in the subdirectory signatures/ of your User data directory. This directory is rescanned before every analysis, so you don’t need to restart Malcat to see the latest changes.

Every *.yar file in the signatures directory will be imported separately in its own namespace. So if your Yara rules are split into several files and include each other, this may lead to situations where a rule is imported twice or where a rule can’t access another rule because it lies in another namespace. If you want to avoid this scenario, the correct way to store your rules is:

  • create a subdirectory (e.g. signatures/myrules) in your User data directory that should contain all the .yar to be included. Subdirectories are not scanned by Malcat, so these .yar won’t be imported.

  • put a single .yar file in the signatures directory that will include all your .yar files from signatures/myrules (in the correct order)

If you want an example, have a look at <malcat install dir>/data/signatures.

Rules writing/importing guideline

Currently, Malcat embeds Yara version 4.2.1 with the PE, dotnet and ELF modules enabled, so you can use every modern Yara features and functions found in theses modules. There are only four (optional) syntaxic points to take into consideration to makes the best use of your yara rules inside Malcat. If you are Adding a rule using the integrated editor, these details will be handled by the UI for you. But if you are importing external rule, you may need to update them.

You may write your rule as you see fit. But if you want Malcat’s user interface to display your rule in a proper manner (i.e. with the right color and in the right group), you have to tell Malcat a few info about your rule. Basically, each Yara rule in Malcat will benefits by having the following elements:

  • one of the rule tags should specify the level of danger of the rule (i.e which color it will be used in the Summary view and Yara editor / browser). Supported tags are:

    • red: malware, malicious, adware, apt, rat, ransom, ransomware, banker, trojan, virus, worm

    • orange: pua, tool, hacktool

    • yellow: suspect, suspicious, heuristic

    • gray: odd, rare, weird, misc, unusual

    • green: clean

    • blue: all other tags / no tag

    • a description metadata entry which describes what the rule detects. This will be displayed in the Yara rule quick view.

    • a category metadata: matching yara rules are grouped by category in the Summary view.

    • a reliability metadata: a number between 0 and 100. It should represent your level of confidence in this rule, 100 meaning it has no false positive/false negative whatsoever. In Malcat the reliability is represented by the green gauge right to the rule name. If not specified, a default reliability of 50 is assumed.

      Note

      The reliability field has been added because most of the publicly available Yara rules are really prone to false positives.

Here is a simple example taken out from the Malcat rule set:

import "pe"
rule WinrarSelfExtractor : tool {
    meta:
        category = "sfx"
        description = "WINRAR self extractor"
        reliability = 80
    strings:
        $c1 = "RarHtmlClassName" wide
        $c2 = "GETPASSWORD1" wide
        $c3 = "RarSFX" wide
        $rar = { 526172211A07 }
    condition:
        pe.overlay.size > 64 and $rar at pe.overlay.offset and all of ($c*)
}

If you follow these simple guidelines, you should see improvements in the presentation of your rules inside Malcat.