Sneed-Reactivity/yara-mikesxrs/HP_Security/win_ostap_jse.yar

19 lines
689 B
Text
Raw Normal View History

rule win_ostap_jse {
meta:
author = "Alex Holland @cryptogramfan (Bromium Labs)"
reference = "https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/"
date = "2019-08-29"
sample_1 = "F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586"
sample_2 = "38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B"
strings:
$comment = { 2A 2A 2F 3B } // Matches on **/;
$array_0 = /\w{5,8}\[\d+\]=\d{1,3};/
$array_1 = /\w{5,8}\[\d+\]=\d{1,3};/
condition:
((($comment at 0) and (#array_0 > 100) and (#array_1 > 100)) or
((#array_0 > 100) and (#array_1 > 100))) and
(filesize > 500KB and filesize < 1500KB)
}