Sneed-Reactivity/yara-mikesxrs/HP_Security/js_downloader_gootloader.yar

rule js_downloader_gootloader : downloader
{
  meta:
    description = "JavaScript downloader known to deliver Gootkit or REvil ransomware"
    reference = "https://github.com/hpthreatresearch/tools/blob/main/gootloader/js_downloader_gootloader.yar"
    author = "HP Threat Research @HPSecurity"
    filetype = "JavaScript"
    maltype = "Downloader"
    date = "2021-02-22"

  strings:
    $a = "function"
    $b1 = "while"
    $b2 = "if"
    $b3 = "else"
    $b4 = "return"
    $c = "charAt"
    $d = "substr"
    $e1 = "\".+"
    $e2 = "\\=\\\""
    $e3 = " r,"
    $e4 = "+;\\\""
    $f = /(\w+\[\w+\]\s+=\s+\w+\[\w+\[\w+\]\];)/

  condition:
    #a > 8 and #a > (#b4 + 3) and all of ($b*) and ($c or $d) and any of ($e*) and $f and filesize < 8000
}