Both the Binarly service and the new yarGen version are still ‘testing’. Therefore the evaluation method that generates the score of each string has been further improved in the new version 0.16.0 of yarGen. I also handled cases in which small result sets lead to high Binarly scores. A string could have 15.000+ malware matches – if it also appears in 1000 goodware matches it does not serve as a good YARA rule string. The goodware matches have higher weight than the malware matches. For example, I had to score samples down that had 3000+ malware but also 1000 goodware matches. The score generation process from the Binarly results is more complex than it might seem. This score is added to the total score, which decides if a string gets included in the final YARA rule. You can see that some of the strings produce a pretty high score. The following screenshot shows Binarly lookups in yarGen’s debugging mode. yarGen uses between 50 and 500 requests per sample during rule generation. They limit the requests per day to 10,000 for free accounts – which is plenty. In order to be able to use it you just need an API key that you can get for free if you contact them at They are looking for researchers interested in testing the service. This means that you can use Binarly to quickly verify the quality of your YARA strings.įurthermore, Binarly has a YARA file search functionality, which you can use to scan their entire collection (currently at 7.5+ Million PE files, 3.5M clean – over 6TB) with your rule in a less than a minute.
0 kommentar(er)
