Home

Awesome

statiStrings

      _        _   _ ____  _        _
  ___| |_ __ _| |_(_) ___|| |_ _ __(_)_ __   __ _ ___
 / __| __/ _` | __| \___ \| __| '__| | '_ \ / _` / __|
 \__ \ || (_| | |_| |___) | |_| |  | | | | | (_| \__ \
 |___/\__\__,_|\__|_|____/ \__|_|  |_|_| |_|\__, |___/
 		       			    |___/
 YARA Rule Strings Statistics Calculator
 Shelly Raban (Sh3llyR), February 2021, Version 0.1
<!-- PROJECT SHIELDS --> <!-- *** I'm using markdown "reference style" links for readability. *** Reference links are enclosed in brackets [ ] instead of parentheses ( ). *** See the bottom of this document for the declaration of the reference variables *** for contributors-url, forks-url, etc. This is an optional, concise syntax you may use. *** https://www.markdownguide.org/basic-syntax/#reference-style-links --> <!-- TABLE OF CONTENTS --> <details open="open"> <summary>Table of Contents</summary> <ol> <li> <a href="#about-the-project">About The Project</a> <ul> <li><a href="#built-with">Built With</a></li> </ul> </li> <li> <a href="#getting-started">Getting Started</a> <ul> <li><a href="#installation">Installation</a></li> </ul> </li> <li><a href="#usage">Usage</a></li> <li><a href="#contact">Contact</a></li> <li><a href="#acknowledgements">Acknowledgements</a></li> </ol> </details> <!-- ABOUT THE PROJECT -->

About The Project

statiStrings is a strings statistics calculator for YARA rules.

The goal is to aid malware research by:

This tool helps writing better, more precise YARA rules for malware detection and malware hunting, based on custom databases of malicious and clean files.

For a given YARA rule and a directory of files, this tool returns the prevalence of each string from the rule in the matched files from the directory.

Built With

<!-- GETTING STARTED -->

Getting Started

To use this tool, you must have Python installed.

Installation

Install yara-python

pip install yara

Clone the repo

git clone https://github.com/Sh3llyR/statiStrings.git
<!-- USAGE EXAMPLES -->

Usage

 usage: statiStrings.py [-h] [-y YARA_RULE] [-d TEST_DIR] [-t OUTPUT_TYPE]

 YARA Rule Strings Statistics Generator and Malware Research Helper

 optional arguments:
   -h, --help      show this help message and exit
   -y YARA_RULE    Path to the YARA Rule
   -d TEST_DIR     Path to the Directory of Files to be Scanned
   -t OUTPUT_TYPE  Output Type: s (sum - number of files in which each string
 				  from the YARA rule ocuured) / p (percentage - percent of
 				  files in which each string from the YARA rule ocuured).
 				  Default is s

Usage example

Research of common strings in malicious batch scripts: First, I wrote a YARA rule with many commands that were found in malicious scripts. The condition was "any of them" - very generic. Then, I ran this tool with the rule I wrote against a malicious scripts directory (shown in the following example). Finally, I ran it against a directory with clean scripts. After Going through the results of both clean and malicious scripts, I was able to:

  1. Group the strings of the YARA rule to suspicious ($s_...), for example tskill, and noisy ($n_...), for example echo.
  2. Create a condition for my rule that catches the malicious samples but not the clean samples, minimizing false positives.
<!-- CONTACT -->

Contact

LinkedIn

Project Link: https://github.com/Sh3llyR/statiStrings

<!-- ACKNOWLEDGEMENTS -->

Acknowledgements

<!-- MARKDOWN LINKS & IMAGES --> <!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->