Snort mailing list archives
Multiple signatures 015
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 3 Oct 2018 17:35:53 +0000
Hi, Hope all is well. Pcaps and ClamAV/Yara signatures are available for some the cases. Thank you. YM # -------------------- # Date: 2018-09-19 # Title: Osx.Trojan.AMCleaner/AutoFixer # Reference: Research # Tests: pcap + sandbox # Hashes: # - ff274bc19a82b09d5d7b841bcc90859e7eb7ebffb1c9ef8c258a534736d00070 # - d8647dfb73ad636c7c1a743754b47ff1824c11cfef040104efabca92715ffcff # - 444d85360e6cf24b9808bab627b69cbdc82dc6d6471e1785e4046d355cee1ad2 # - cf00d0789911e58cf1d6fcdb1da64dfe7b0b91c1737b6ad0369a9a968dab214a # Note: # - TechyUtils Software Private Limited have been busy: # https://www.virustotal.com/#/ip-address/64.185.181.238 # - C&C IP address hosts APKs and EXEs which also communicate with it. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mac Auto Fixer"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000350; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mac|25 32 30|Auto|25 32 30|Fixer"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000351; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: maftask/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000352; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/install/maf/"; fast_pattern:only; http_uri; content:"&btnid="; http_uri; content:"&appversion="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000353; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/mtrack/?metd="; fast_pattern:only; http_uri; content:"&ram="; http_uri; content:"&model="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000354; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"/amc/more/"; fast_pattern:only; http_uri; content:".html"; http_uri; content:"&affiliateid="; http_uri; content:"&btnid="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"/nis/gn"; http_uri; content:"|22|Display|22|"; http_client_body; content:"Origin:"; http_header; content:"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000355; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.AMCleaner/AutoFixer outbound connection attempt"; flow:to_server,established; content:"User-Agent: helperamc/"; fast_pattern:only; http_header; content:".plist"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000356; rev:1;) # -------------------- # Date: 2018-09-19 # Title: Deep Analysis of a Driver-Based MITM Malware: iTranslator # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator.html # Tests: pcap # Yara: # - MALWARE_Win_Trojan_iTranslator_EXE # - MALWARE_Win_Trojan_iTranslator_DLL # ClamAV: # - MALWARE_Win_Trojan_iTranslator_EXE # - MALWARE_Win_Trojan_iTranslator_DLL # Notes: # - HTTP C&C behavior is consistent with the research reference. # - First rule matches on the unique header. Remaining rules match # in case the unique header is not present or changed. # - Some of the JSON responses can be sig'ed as well but they weren't # in this case. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000363; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"/gl.php?"; http_uri; content:"uid=078B"; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&x="; http_uri; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000364; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iTranslator outbound connection"; flow:to_server,established; content:"/in.php?"; http_uri; content:"type="; http_uri; fast_pattern:only; content:"&ch="; http_uri; content:"&mc="; http_uri; content:"MC: "; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000365; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious User-Agent - Win.Trojan.iTranslator"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000366; rev:1;) # -------------------- # Date: 2018-09-29 # Title: Office Exploit Builder - Phantom Crypter/Ancalog # Reference: Triage from: https://twitter.com/GaborSzappanos/status/1045573257909415936 # Tests: pcap (file2pcap) # Yara: # - FILE_OFFICE_RTF_Ancalog_Builder_Doc # ClamAV: # - FILE_OFFICE.RTF.Ancalog_Builder.Doc # Hashes: # - 3b4215b2b0dfb8fb1f96984a41d38da3fd19234f0f2c1957f32a3e0e25a8bb3e # - f8a111e5c6b6da694567bdbd51c3113f92acd0e9b77e9c01784f1166d7fd3e5f # - 43b07839c4b79076cb33428fee4400fbed2e92a9654a2837de7e470f9e4fb004 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload detected"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:8000367; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Ancalog Exploit Builder generated payload detected"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|*|5C|ancalog"; nocase; fast_pattern:only; pcre:"/\x5c\x2a\x5cancalog[0-9]{1,4}\s[0-9]{1,9}/"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000368; rev:1;) # -------------------- # Date: 2018-09-29 # Title: New KONNI Malware attacking Eurasia and Southeast Asia # Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/ # Tests: pcap # Yara: # - MALWARE_Win_Trojan_Konni # ClamAV: # - MALWARE_Win.Trojan.Konni_1 # - MALWARE_Win.Trojan.Konni_2 # Hashes: # - 07b90088ec02ef6757f6590a62e2a038ce769914139aff1a26b50399a31dcde9 # - 9b1a21d352ededd057ee3a965907126dd11d13474028a429d91e2349b1f00e10 # - 9bf634ff0bc7c69ffceb75f9773c198944d907ba822c02c44c83e997b88eeabd # - b8120d5c9c2c889b37aa9e37514a3b4964c6e41296be216b327cdccd2e908311 # - dce53e59b0c48e269dadc766a78667a14f11b72c49f57d95abde62c84ac8d7ae alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konni outbound connection"; flow:to_server,established; content:"subject="; http_client_body; content:"&data="; http_client_body; content:".php"; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000369; rev:1;) # -------------------- # Date: 2018-10-02 # Title: Osx.Trojan.Wave? # Reference: Research # - https://www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection # Tests: syntax only alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Wave outbound connection attempt"; flow:to_server,established; content:"/?localTime="; fast_pattern:only; http_uri; content:"User-Agent: MailBar/"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/087add809dca997a546b8d86f0a0be23cb04b8cf1dc77c58c475e50a3b6fa6ab/detection; classtype:trojan-activity; sid:8000370; rev:1;) # -------------------- # Date: 2018-10-03 # Title: Win.Trojan.Trickbot variant # Reference: Research # Tests: pcap + sandbox # Hashes: # - dropper : 109ca2be52cf8a2953ee823b3bf20ff18af6e76c312b6cea086dab3aecd28853 # - loader : 595c49d0ba30eff4a48adb927cda9062efc7bb352ea75c6eadcbfe841a81e09c # - inject module : b105891f90b2a8730bbadf02b5adeccbba539883bf75dec2ff7a5a97625dd222 # - system module : ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787 # - network module: 1c62f004d0c9b91d3467b1b8106772e667e7e2075470c2ec7982b63573c90c54 # Notes: # - Where is the "config.conf"? # - Found and decoded the module configs # - Persisted via Task Scheduler alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWWARE-CNC Win.Trojan.Trickbot variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|proclist|22|"; http_client_body; content:"process list"; nocase; http_client_body; content:"[System Process]"; http_client_body; content:"form-data|3B| name=|22|sysinfo|22|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000371; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot variant potential server response"; flow:to_client,established; content:"200"; http_stat_code; content:"server: Cowboy"; http_header; content:"content-length: 3|0D 0A|"; http_header; file_data; content:"/1/"; depth:3; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000372; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 015 Y M via Snort-sigs (Oct 03)
- Re: Multiple signatures 015 Marcos Rodriguez (Oct 03)