Tweak tokenizer strings

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/anti-behavior/blocklist/user.yara

@@ -48,7 +48,9 @@ rule common_username_block_list: critical {
     $not_wireshark  = "wireshark.org"
     $gpt_tokenizer1 = "GPTTokenizer"
     $gpt_tokenizer2 = "GPT-4"
+    $gpt_tokenizer3 = "const bpe = c0.concat(c1);"
+    $gpt_tokenizer4 = "export default bpe;"
 
   condition:
-    8 of them and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
+    8 of them and none of ($not*) and (none of ($gpt_tokenizer1) and ($gpt_tokenizer2) or none of ($gpt_tokenizer3) and ($gpt_tokenizer4))
 }

rules/exfil/stealer/wallet.yara

@@ -35,9 +35,11 @@ rule crypto_stealer_names: critical {
     $not_geth_site   = "https://geth.ethereum.org"
     $gpt_tokenizer1  = "GPTTokenizer"
     $gpt_tokenizer2  = "GPT-4"
+    $gpt_tokenizer3  = "const bpe = c0.concat(c1);"
+    $gpt_tokenizer4  = "export default bpe;"
 
   condition:
-    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
+    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and (none of ($gpt_tokenizer1) and ($gpt_tokenizer2) or none of ($gpt_tokenizer3) and ($gpt_tokenizer4))
 }
 
 rule crypto_extension_stealer: critical {

tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff

@@ -1,10 +1,9 @@
-## Changed (49 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL]
+## Changed (48 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL]
 
-### 49 new behaviors
+### 48 new behaviors
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)<br>[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)<br>[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)<br>[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)<br>[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)<br>[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)<br>[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)<br>[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)<br>[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)<br>[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)<br>[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)<br>[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)<br>[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)<br>[BraveWallet](https://github.com/search?q=BraveWallet&type=code)<br>[Ronin](https://github.com/search?q=Ronin&type=code)<br>[http](https://github.com/search?q=http&type=code) |
 | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)<br>[charAt(s](https://github.com/search?q=charAt%28s&type=code)<br>[charAt(a](https://github.com/search?q=charAt%28a&type=code)<br>[charAt(n](https://github.com/search?q=charAt%28n&type=code)<br>[charAt(c](https://github.com/search?q=charAt%28c&type=code)<br>[charAt(t](https://github.com/search?q=charAt%28t&type=code)<br>[charAt(u](https://github.com/search?q=charAt%28u&type=code)<br>[charAt(w](https://github.com/search?q=charAt%28w&type=code)<br>[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)<br>[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)<br>[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)<br>[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)<br>[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)<br>[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)<br>[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)<br>[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)<br>[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)<br>[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)<br>[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)<br>[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)<br>[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)<br>[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)<br>[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)<br>[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)<br>[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)<br>[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)<br>[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)<br>[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)<br>[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)<br>[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)<br>[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)<br>[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)<br>[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)<br>[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)<br>[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)<br>[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)<br>[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)<br>[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)<br>[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)<br>[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)<br>[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)<br>[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)<br>[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)<br>[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)<br>[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)<br>[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)<br>[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)<br>[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)<br>[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)<br>[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)<br>[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)<br>[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)<br>[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)<br>[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)<br>[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)<br>[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)<br>[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)<br>[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)<br>[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)<br>[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)<br>[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)<br>[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)<br>[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)<br>[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)<br>[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)<br>[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)<br>[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)<br>[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)<br>[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)<br>[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)<br>[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)<br>[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)<br>[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)<br>[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)<br>[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)<br>[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)<br>[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)<br>[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)<br>[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)<br>[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)<br>[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)<br>[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)<br>[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)<br>[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)<br>[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)<br>[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)<br>[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)<br>[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)<br>[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)<br>[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)<br>[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)<br>[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)<br>[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)<br>[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)<br>[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)<br>[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)<br>[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)<br>[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)<br>[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)<br>[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)<br>[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)<br>[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)<br>[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)<br>[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)<br>[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)<br>[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)<br>[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)<br>[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)<br>[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)<br>[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)<br>[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)<br>[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)<br>[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)<br>[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)<br>[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)<br>[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)<br>[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)<br>[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)<br>[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)<br>[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)<br>[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)<br>[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)<br>[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)<br>[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)<br>[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)<br>[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)<br>[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)<br>[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)<br>[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)<br>[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)<br>[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)<br>[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)<br>[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)<br>[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)<br>[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)<br>[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)<br>[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)<br>[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)<br>[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)<br>[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)<br>[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)<br>[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)<br>[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)<br>[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)<br>[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)<br>[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)<br>[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)<br>[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)<br>[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)<br>[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)<br>[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)<br>[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)<br>[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)<br>[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)<br>[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)<br>[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)<br>[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)<br>[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)<br>[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)<br>[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)<br>[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)<br>[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)<br>[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)<br>[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)<br>[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)<br>[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)<br>[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)<br>[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)<br>[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code) |
 | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)<br>[https://mantlescan.xyz/](https://mantlescan.xyz/)<br>[https://openchain.xyz/](https://openchain.xyz/) |
 | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)<br>[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) |

tests/javascript/clean/faker.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/faker.js: medium
-anti-behavior/blocklist/user: low
 anti-behavior/random_behavior: low
 anti-static/obfuscation/js: medium
 anti-static/obfuscation/math: medium
@@ -23,6 +22,7 @@ data/encoding/utf16: medium
 exec/plugin: low
 exfil/office_file_ext: medium
 exfil/stealer/credit_card: medium
+false-positives/faker: low
 fs/path/boot: medium
 fs/path/etc: low
 fs/path/home: low

tests/javascript/clean/faker.min.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/faker.min.js: medium
-anti-behavior/blocklist/user: low
 anti-behavior/random_behavior: low
 anti-static/obfuscation/js: medium
 anti-static/obfuscation/obfuscate: low
@@ -19,6 +18,7 @@ data/encoding/utf16: medium
 exec/plugin: low
 exfil/office_file_ext: medium
 exfil/stealer/credit_card: medium
+false-positives/faker: low
 fs/path/boot: medium
 fs/path/etc: low
 fs/path/home: low

tests/windows/2024.aspdasdksa2/creal.pyc.simple

@@ -2,7 +2,6 @@
 3P/elastic/infostealer_wallets: critical
 anti-behavior/blocklist/hostname: critical
 anti-behavior/blocklist/mac_addr: critical
-anti-behavior/blocklist/user: critical
 anti-behavior/random_behavior: low
 c2/addr/discord: medium
 c2/addr/telegram: medium