 Hello, Didier Stevens here from the Internet Storm Center. We are going to look at the new YARA. So the YARA high-heavier is 402 and with version 4, base 64 rules were introduced. So that means that you can provide a string in the YARA rule and then that the base 64 encodings of that string will be searched for. So I have a rule here that looks for Internet Storm Center and this has to be base 64 encoded and I have this in this example. So this here is base 64 for Internet Storm Center. I can show you this with my toolkit bytes, base 64 and the string Internet Storm Center. See, encoded gives this string. Of course, this varies depending on the character position. If I insert a space before Internet Storm Center, then I have another base 64 string. One more string, sorry one more space, yet another string and three spaces and then here I have four different characters and then repeating string here. That's because in base 64, eight bits, one byte, eight bits are encoded into six bits, one base 64 character. So that means that you need four base 64 digits characters for three bytes. So that's what the encoder here does, the base 64 encoder in YARA. So I run YARA with the rule on base 64 here and my rule detects it. Now you can also have different combinations depending on your strings being ASCII or Unicode. I have here different other rules, a long list, so each time Internet Storm Center and here this rule I expect that the string to be encoded is ASCII, then it then is in base 64 encoded and that base 64 encoded string is also ASCII. While this rule here, the encoded string to be searched for is a Unicode string and it is encoded in base 64 and that base 64 string itself is ASCII. Another rule here, again an ASCII string to be encoded and now the base 64 string that I'm searching for has to be Unicode. That's done with the keyword base 64 wide, so instead of base 64 use base 64 wide. And finally Unicode, Unicode so I have a string that is Unicode so wide and the base 64 string representation of that string has to be Unicode so base 64 wide. And finally I have a rule that implements all searches so ASCII and Unicode for the string to be encoded and then base 64 and base 64 wide for the encodings. And if I run Yara with those rules here, then I have those different files that I prepared that are detected, like the file ASCII, ASCII. If we look at an exodysmal dump, an ASCII exodysmal dump of this file, sorry like this, you can see that it is ASCII. Here I have the Unicode base 64 string and if we look at this with my tool, you can see here that it is Unicode and you have a lot of null bytes and then if we look at the Unicode string that is base 64 encoded into an ASCII string, then you have another representation as you can see a lot of As and that is because A, the uppercase A character in base 64 encodes 6 bits with value 0. Here you can see that it is ASCII and finally the Unicode into Unicode here as you can see this is Unicode.