Binsequencer
#Security Testing#Malware Analysis
A collection of XSS payloads designed to turn alert(1) into P1
Binsequencer: Scanning Malware to Build YARA Rules
Binsequencer is designed to scan a collection of similar malware, including families, campaigns, and like-tools, to create a YARA rule that can identify similar code sections.
In detail, each file will undergo analysis, and its data will be transformed into sequences of x86 instruction sets.
These sets are then utilized
These sets are then utilized in a sliding window approach to identify commonalities across the entire sample corpus.
When an acceptable match is found, the application will explore various techniques to create a YARA match, starting from the most specific down to the least specific.
In the least specific matching process, it will transform the matched instruction sets into a sequence of x86 opcodes, which are surrounded by wildcards, for use in a YARA rule.
Options for Adjusting the Minimum Length of the Instruction Set
There are several options available to modify the minimum length of the instruction set. However, a length of 25 has been found to be quite reliable during testing with various samples.
If you set the minimum length too low, you may start to match more samples that could be unrelated to your intended target.
You also have the flexibility to decide how many matches you want to utilize for your YARA rule. The application will then attempt to identify unique instruction sets based on your selection.
Moreover, while the script is primarily designed to operate on x86 PE files, you can also direct it to run on non-PE files such as JAR, PDF, and other file types.
