Attachment: JavaScript file with suspicious base64-encoded executable

calendar Apr 1, 2024  ยท
Share on: linkedin copy

JavaScript attachment or compressed JavaScript file containing a base64 encoded executable.

Sublime rule (View on GitHub)

 1name: "Attachment: JavaScript file with suspicious base64-encoded executable"
 2description: "JavaScript attachment or compressed JavaScript file containing a base64 encoded executable."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ $file_extensions_common_archives
10            or .file_extension in ("js", "jar")
11          )
12          and any(file.explode(.),
13                  (
14                    (
15                      .file_extension in ("js", "jar")
16                      or any(.flavors.yara, . == "javascript_file")
17                    )
18                    and any(.flavors.yara, . == 'base64_pe')
19                  )
20          )
21  )  
22
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Evasion"
27  - "Scripting"
28detection_methods:
29  - "Archive analysis"
30  - "File analysis"
31  - "YARA"
32
33id: "b8db0cf3-1708-5fd0-b0f3-ee23a06505ca"
to-top