Yara signatures (malcat.sigs)

malcat.sigs: bindings.Signatures

The malcat.sigs object is a bindings.Signatures instance that gives you access to all matching and unmatching Yara signatures evaluated against the current file.

Note that in addition to this documentation, you can find usage examples in the sample script which is loaded when you hit F8.

Accessing / enumerating cross-references

Malcat embeds a Yara scanner as one of its analyses (see Yara signatures). The result of the scan is available through the malcat.sigs python object. Accessing the result of the scan can be useful in your scripts. If you plan to limit your script to Delphi programs for instance, a simple if "Delphi" in malcat.sigs is enough.

class bindings.Signatures
__iter__()

Iterate over all matching signatures

for sig in malcat.sigs:
    print(f"yara rule {sig.name} ({sig.id}) : {sig.type} matched !")
Return type

iterator over ScanRule

matching

Same as above

Return type

iterator over ScanRule

all

Iterate over all signatures, even the non-matching ones

Return type

iterator over ScanRule

__getitem__(name)

Returns the first (matching or not) ScanRule whose ScanRule.id or ScanRule.name is name. Prioritiy is given to the id matching. If no rule with this id can be found, the search is performed on the name. If no such rule can be found, None is returned.

if malcat.sigs["Delphi"].matching:
    print("Delphi!")
Parameters

name (str) – rule id or name to search for

Return type

ScanRule or None

__contains__(name)

return True iff a rule named name has matched the file. Prioritiy is given to the id matching. If no rule with this id can be found, the search is performed on the name. If no such rule can be found, False is returned.

if "Delphi" in malcat.sigs:
    print("Delphi!")
Parameters

name (str) – rule id or name to search for

Return type

bool

__len__(name)

return the number of Yara signatures in database

Return type

int

Rule object

Yara rule

Yara rules are python objects of type bindings.ScanRule and offer the following interface:

class bindings.ScanRule
id: str

Yara rule unique identifier

name: str

nice name for the rule (not always unique)

matching: bool

did the rule match?

reliability: int

reliability score of the rule, an int between 0 and 100 inclusive. 100 means the rule has no FP/FN

type: bindings.ScanRule.Type

the dangeority of the rule

category: str

the category metadata of the rule: “packer”, “compiler”, “evasion”, etc.

description: str

the description metadata of the rule, a free-form string

tags: List[str]

all the Yara tags for the rule

__len__()

number of matching strings / patterns

Return type

int

patterns: List[ScanPattern]

the list of all string/regexp patterns (matching and non-matching) of the rule, see below

for pattern in malcat.sigs["QakBot"].patterns:
    for offset, size in pattern.matches:
        print(f"    - pattern {pattern.id} matched at #{offset:x}-#{offset + size:x}")

Rule type / tags

The ScanRule.type of a ScanRule is its dangerosity level. The dangerosity level of a rule is determined by the Yara tags set for the rule.

class bindings.ScanRule.Type
MALWARE

this Yara rule detects malicious files only. This means that the rule has one of the following tags:

  • malware

  • malicious

  • adware

  • apt

  • rat

  • ransom

  • ransomware

  • banker

  • trojan

  • virus

  • worm

SUSPICIOUS

this Yara rule detects suspicious intent which is often found in malicious files. This means that the rule has one of the following tags:

  • suspect

  • suspicious

  • heuristic

UNCOMMON

this Yara rule detects uncommon characteristics. The file can be clean or malicious. This means that the rule has one of the following tags:

  • odd

  • rare

  • weird

  • unusual

TOOL

this Yara rule detects known tools and techniques that can be used with both good and bad intents. This means that the rule has one of the following tags:

  • pua

  • tool

  • hacktool

INFO

all other tags / no tag

Pattern

Patterns are any entry defined in the “strings:” portion of a Yara rule. They have the following interface:

class bindings.ScanPattern
id: str

the identifier for the pattern, $a = ... -> a, empty string for the anonymous pattern “$”

matches: List[int, int]

all the matching locations of the pattern. It is a list of (physical address, size) pairs.