Sneed-Reactivity/yara-mikesxrs/HP_Security/js_RATDispenser.yar

32 lines
792 B
Text
Raw Normal View History

rule js_RATDispenser : downloader
{
meta:
description = "JavaScript downloader resp. dropper delivering various RATs"
reference = "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/"
author = "HP Threat Research @HPSecurity"
filetype = "JavaScript"
maltype = "Downloader"
date = "2021-05-27"
strings:
$a = /{(\d)}/
$c1 = "/{(\\d+)}/g"
$c2 = "eval"
$c3 = "prototype"
$d1 = "\\x61\\x64\\x6F\\x64\\x62\\x2E"
$d2 = "\\x43\\x68\\x61\\x72\\x53\\x65\\x74"
$d3 = "\\x54\\x79\\x70\\x65"
$e1 = "adodb."
$e2 = "CharSet"
$e3 = "Type"
$f1 = "arguments"
$f2 = "this.replace"
condition:
#a > 50 and all of ($c*) and (any of ($d*) or any of ($e*)) and all of ($f*) and filesize < 2MB
}