Showing posts with label multiple. Show all posts
Showing posts with label multiple. Show all posts

Friday, April 10, 2020

Use Powershell to Run Yara against entire Folder of Malware

# run "myrules.yar" against all *.bin files in a folder and print to standard output
get-childitem \ -filter *.bin |select fullname|foreach-object {$cmd ="&./yara64.exe myrules.yar "+ $_.fullname + " -s"; iex $cmd }

---------

run yara against all malware files in a folder

---------
sample output
---------
MindsparkToolbar \EasyPDFCombine.bin
0x4a34e:$eula: http://eula.mindspark.com/ask/0
0x4b2e6:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \EverydayLookup.bin
0x5c276:$eula: http://eula.mindspark.com/ask/0
0x5d20e:$eula: http://eula.mindspark.com/ask/0
0xc414:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc55a:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xc620:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
MindsparkToolbar \FromDocToPdf.bin
0x5fbce:$eula: http://eula.mindspark.com/ask/0
0x60b69:$eula: http://eula.mindspark.com/ask/0
0x5f05f:$publisher: Mindspark Interactive Network, Inc.
0x5f08d:$publisher: Mindspark Interactive Network, Inc.
0x600be:$publisher: Mindspark Interactive Network, Inc.
0x600ec:$publisher: Mindspark Interactive Network, Inc.
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafca:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb090:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
error: could not open file: \Internet
MindsparkToolbar \YourTemplateFinder.bin
0x5b498:$eula: http://eula.mindspark.com/ask/0
0x5c43a:$eula: http://eula.mindspark.com/ask/0
0xae8c:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xafe2:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
0xb0a8:$publisherWide: M\x00i\x00n\x00d\x00s\x00p\x00a\x00r\x00k\x00 \x00I\x00n\x00t\x00e\x00r\x00a\x00c\x00t\x00i\x00v\x00e\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00,\x00 \x00I\x00n\x00c\x00.\x00
Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)