Win.Trojan.Nemucod JS

[O C via Snort-sigs <snort-sigs () lists snort org>]

Hi,

The lead for these rules is from reference [1]. But I was not able to acquire the JS mentioned in it. However, I found 
a similar JS behaving exactly the same, with additional GitHub as well as CodePlex profiles for C&C. No pcaps available 
for this one.

# --------------------
# Date: 2018-05-27
# Title: JavaScript based Bot using Github C&C
# Tests: syntax only
# Reference:
#   [1] http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html
#   [2] https://www.virustotal.com/#/file/54c25b9fedcec02d74c780412d7c50285b7837eac2d3daf23e8e4aca42ad5d71/detection
#   [3] https://www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection
#   [4] 
https://www.hybrid-analysis.com/sample/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3?environmentId=120
# Profiles:
#   - https://raw.githubusercontent.com/deadpooool/news/master/README.md
#   - https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.md
#   - https://www.codeplex.com/site/users/view/saidjaosdjo
#   - https://raw.githubusercontent.com/iuasbduias/auhidshas/master/README.md

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"action=getSerial"; fast_pattern:only; 
http_client_body; content:"&computer_name="; http_client_body; content:"&username="; http_client_body; 
content:"&version="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; 
classtype:trojan-activity; sid:8000065; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"action=getCommand"; fast_pattern:only; 
http_client_body; content:"&uid="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; 
http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; 
classtype:trojan-activity; sid:8000066; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"action=sendScreenshot"; fast_pattern:only; 
content:"&uid="; http_client_body; content:"&data="; http_client_body; content:"Content-Type: 
application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; 
classtype:trojan-activity; sid:8000067; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"action=up"; fast_pattern:only; content:"&uid="; 
http_client_body; content:"&antivirus="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; 
http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; 
classtype:trojan-activity; sid:8000068; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS response"; 
flow:to_client,established; file_data; content:"youwillnotfindthisanywhare"; fast_pattern:only; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; 
classtype:trojan-activity; sid:8000069; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!