mal
YARA rules, sandbox analysis, behavior detection.
Load with: use mal
Quick example
use mal
result = yaran(10, 10, "hello")
prn(result)Functions
YARA rule compilation
yaran(n, cond, strs)
Performs the operation. Takes n, cond, strs.
yarac(r)
Performs the operation. Takes r.
yaras(f, cr)
Performs the operation. Takes f, cr.
yarad(f, rs)
Adds an item. Takes f, rs.
Common YARA signatures
commo()
Performs the operation.
Sandbox analysis
masbx(f, tmo)
Performs the operation. Takes f, tmo.
sbxap(r)
Performs the operation. Takes r.
sbxfi(r)
Performs the operation. Takes r.
sbxne(r)
Creates a new instance. Takes r.
sbxpr(r)
Processes or prints. Takes r.
Behavior scoring
behsc(r)
Performs the operation. Takes r.
String extraction
strin(f, min)
Initialises. Takes f, min.
strun(f)
Performs the operation. Takes f.
Import hash
impha(f)
Performs the operation. Takes f.
Rich header hash
richh(f)
Performs the operation. Takes f.
TLS callback detection
tlsde(f)
Decodes. Takes f.
Section entropy
entro(f)
Performs the operation. Takes f.
highe(f, thresh)
Performs the operation. Takes f, thresh.
Packer detection
packi(f)
Performs the operation. Takes f.
Import table analysis
impor(f)
Performs the operation. Takes f.
susim(i)
Performs the operation. Takes i.
Export table
expor(f)
Performs the operation. Takes f.
Entry point analysis
entry(f)
Performs the operation. Takes f.
VirusTotal lookup
vtloo(h)
Performs the operation. Takes h.
vtup(f)
Updates. Takes f.
Memory dump analysis
dumpa(f)
Parses. Takes f.
injec(d)
Performs the operation. Takes d.
hollo(d)
Performs the operation. Takes d.
IOC extraction
iocex(f)
Executes. Takes f.
Capabilities detection
capab(f)
Performs the operation. Takes f.
Notes
- Malware analysis helpers. Use only on systems you own.