Snort mailing list archives
Win.Trojan.Nemucod JS
From: O C via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 29 May 2018 17:23:29 +0000
Hi, The lead for these rules is from reference [1]. But I was not able to acquire the JS mentioned in it. However, I found a similar JS behaving exactly the same, with additional GitHub as well as CodePlex profiles for C&C. No pcaps available for this one. # -------------------- # Date: 2018-05-27 # Title: JavaScript based Bot using Github C&C # Tests: syntax only # Reference: # [1] http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html # [2] https://www.virustotal.com/#/file/54c25b9fedcec02d74c780412d7c50285b7837eac2d3daf23e8e4aca42ad5d71/detection # [3] https://www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection # [4] https://www.hybrid-analysis.com/sample/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3?environmentId=120 # Profiles: # - https://raw.githubusercontent.com/deadpooool/news/master/README.md # - https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.md # - https://www.codeplex.com/site/users/view/saidjaosdjo # - https://raw.githubusercontent.com/iuasbduias/auhidshas/master/README.md alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=getSerial"; fast_pattern:only; http_client_body; content:"&computer_name="; http_client_body; content:"&username="; http_client_body; content:"&version="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000065; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=getCommand"; fast_pattern:only; http_client_body; content:"&uid="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000066; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=sendScreenshot"; fast_pattern:only; content:"&uid="; http_client_body; content:"&data="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000067; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=up"; fast_pattern:only; content:"&uid="; http_client_body; content:"&antivirus="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000068; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS response"; flow:to_client,established; file_data; content:"youwillnotfindthisanywhare"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000069; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Nemucod JS O C via Snort-sigs (May 29)