Introducing YARAify

Published on 13th June 2022, 11:23:49 UTC

About a year ago, we have launched ThreatFox - a community driven platform to share indicators of compromise (IOCs). Today, I'm very excited to announce the launch of our most recent project: YARAify!

What is YARAify?

YARAify is your central hub for scanning and hunting files using YARA:

  • You can scan files using a large set of public YARA rules
  • YARAify also integrates all public and non-public YARA rules from Malpedia. Matches on Malpedia YARA rules are visible once you have connected your YARAify account with your Malpedia account (API key)
  • For PE executables, YARAify provides you an easy way to unpack them with just one click
  • By default, the platform scans any files using open and commercial ClamAV signatures (e.g. the ClamAV signatures from SecuriteInfo)
  • You can setup hunting rules for matching YARA rules, ClamAV signatures, imphashes and much more and get immediately notified by either email or Pushover (mobile)
  • YARAhub, which is part of YARAify, provides you an easy and structured way to share your YARA rules with the community
  • You can search for files and download them, including the corresponding unpacked file (if available)
  • As it is usual for all our platforms, there is an extensive API available that lets you use YARAify's power in an automated way

As of today, we have already conducted more than 15'000'000 scans for over 12'000'000 distinct files!

Why YARAify?

YARA is not only a great tool to detect malicious files but also an excelent way to hunt for files. However, there are various disadvantages with YARA:

  • Today, YARA rules are spread across different platforms and git repositories, making their handling hard for everyone
  • So far, there is no easy way to share YARA rules in a structured way. We try to fix this mess
  • A YARA rule is identified by it's rule name, which isn't unique. Therefore, there are many YARA rules having the same rule name originating from different authors, which makes rule handling hard. We try to overcome that issue by implementing yarahub_uuid which uniquely identifes a YARA rule
  • YARAhub lets you separate your YARA rule into two sections with different TLP classifications: The metadata and the rule itself. By this, you can allow others to hunt with your YARA rule on YARAify by not revealing the YARA rule. Check it out: hp_doc_svcready

Happy hunting!

Blog Archive