Search code examples
regexyara

Yara Rule - Regex - syntax error: unexpected ')'

This answer here - https://stackoverflow.com/posts/58483988/revisions (definitely worth reading to understand the ostensible regex rules for yara) - appears to work for about 20 of the given binaries I'm looking for, such as the following:

cuckoo.filesystem.file_access(/^C:\\(.*\\)?dnx\.exe$/i) or
cuckoo.filesystem.file_access(/C\:\\WINDOWS\\system32\\Dxcap.exe/) or
cuckoo.filesystem.file_access(/C\:\\WINDOWS\\system32\\dxcap.exe/) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\(Microsoft Office\\)?(.*\\)?Excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\(Microsoft Office\\)?(.*\\)?EXCEL\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\(Microsoft Office\\)?(.*\\)?excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?Excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?EXCEL\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?excel\.exe$/i) or

However errors appear to occur with the following line:

cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\)?(.*\\)?mftrace\.exe$/i) or

that error being, Line 28 syntax error: unexpected ')'

Lines 27, 28 and 29 being:

cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\(Microsoft Office\\)?(.*\\)?excel\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\)?(.*\\)?mftrace\.exe$/i) or
cuckoo.filesystem.file_access(/^C:\\Program Files\\)?(.*\\)?mftrace\.exe$/i) or

What error am I making with my yara rules.

To match the following directories:

C:\Program Files (x86)\ * \ mftrace.exe

Where asterisk stands for basically any intermediary path between program files (x86) and mftrace.exe

Solution

  • Looks like you have an extra right parenthesis right here on line 28:

    cuckoo.filesystem.file_access(/^C:\\Program Files (x86)\\)?(.*\\)?mftrace\.exe$/i)
                                                         ^

    There's another one in almost the same location on the following line.

    Also, you'll probably want to escape the other parentheses in your pattern that should be treated as literals (like with (x86)).