Yara Rule For EITEST Fake Chrome Popup

rule EITest_FakeChromePopup
{
   meta:
      description = "EITest Fake Chrome Popup"
      ref = "https://rz.my/2017/02/yara-rule-for-eitest-fake-chrome-popup.html"
      author = "[email protected]"
      version = "1"
   strings:
      $a = "(!!window.chrome && !!window.chrome.webstore)" nocase
      $c = "search=unescape('%2F%5B%5E%3C%3E%5C%5C%6E%5C%5C%73%5D%2F%69%67%6D')" nocase
      $d = "result[i].replace(eval(search),'�')" nocase

   condition:
      all of them
}