Snort mailing list archives

Re: Multiple signatures 019

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 27 Nov 2018 10:47:17 -0500

On Tue, Nov 27, 2018 at 8:13 AM Y M via Snort-sigs
<snort-sigs () lists snort org> wrote:


Hi,

Hope everyone had a great Thanksgiving holiday, if you had one. Pcaps are available for all the cases. ClamAV/Yara 
signatures are available for all cases except the last one.

Thank you.
YM

# --------------------
# Date: 2018-11-15
# Title: Enter The Darkgate: New Cryptocurrency Mining And Ransomware Campaign
# Reference: Triage from: https://blog.ensilo.com/darkgate-malware
# Tests: pcaps
# Yara:
#    - MALWARE_VB_Agent_Embedded_B64_BIN_SC
# ClamAV:
#    - MALWARE_VB.Agent_Embedded_B64_BIN_SC_VAR1
#    - MALWARE_VB.Agent_Embedded_B64_BIN_SC_VAR2
# Hashes:
#    - 2264c2f2c2d5a0d6d62c33cadb848305a8fff81cdd79c4d7560021cfb304a121
#    - 3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b
#    - 908f2dfed6c122b46e946fe8839feb9218cb095f180f86c43659448e2f709fc7
#    - b0542a719c6b2fc575915e9e4c58920cf999ba5c3f5345617818a9dc14a378b4
#    - c88eab30fa03c44b567bcb4e659a60ee0fe5d98664816c70e3b6e8d79169cbea
# Notes:
#   - Added 2222 and 9061 to stream5 and http_inspect.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC VB.Trojan.Agent DarkGate outbound connection"; 
flow:to_server,established; content:"POST / HTTP/1.0"; depth:15; content:"Mozilla/4.0"; http_header; content:"id="; 
http_client_body; content:"&data="; http_client_body; content:"&action="; http_client_body; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000418; rev:1;)

# --------------------
# Date: 2018-11-17
# Title: New Strain of Olympic Destroyer Droppers
# Reference: Triage from: https://research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/
# Tests: pcaps
# Yara:
#    - MALWARE_Doc_Dropper_Hades
# ClamAV:
#    - MALWARE_Doc.Dropper.Hades
# Hashes:
#    - 02017a5216d0726471de5ecca0610fa25d946148476b6af172c786b29b87c88e
#    - 08980ed1a4c3f6a6f8f5fb210a82f68a6d71dd4689fd198b54387a9de461c858
#    - a6678a676d6a55833aa63233b3bae53fd7825c3c8afc4d015a2ca8296baee31a
#    - b85027de6871e2ed1a2154edb645fd016807989b44107fc2804eb6e9acce3b9d
#    - c0137e41f9d1b165c57e76714bb44e4ca4de2f8f83f6fd4bd34c90ed01553764
# Notes:
#   - SID 44564 may need updates as follows:
#     pcre:"/^session(id)?=[a-zA-Z0-9\+\/]{27,28}=$/Cmi"

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Doc.Hades malicious document download attempt"; 
flow:to_server,established; file_data; content:"|00 41 63 74 69 76 65 44 6F 63 75 6D 65 6E 74 D3 5C 10 00 06|"; 
fast_pattern; content:"|53 68 61 70 65 73 FB 3C 10 00|"; within:20; content:"|43 6F 75 6e 74 30 76 10 00 04 00 49 74 
65 6D D7 7A 10 00 06|"; within:50; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000419; 
rev:1;)

# --------------------
# Date: 2018-11-22
# Title: Encrypted documents with various payloads
# Reference: Research
# Tests: pcaps
# Yara:
#    - MALWARE_Doc_Dropper_Enc
#    - MALWARE_Win_Trojan_GozNym
#    - MALWARE_Win_Ransomware_Globeimposter
# ClamAV:
#    - MALWARE_Doc.Dropper.Enc
#    - MALWARE_Win.Trojan.GozNym
#    - MALWARE_Win.Ransomware.Globeimposter
# Hashes:
#    - Binaries:
#      - GozNym
#        - 23f94f297ff9424592eb9e448a54e3ea2dbcfb48643c9ae57988e6c04f86fe38
#        - 7062d7960163491d06dee3deffeaff62466f496c3f7b6c831e38361863189cff
#        - 85ca2e76fe2b63c6c070002b425b06c39950e0d5d616f98f270217abeb24cc60
#        - c8a873f2e653f0bbfe42dbe8e0d7649a26949b43b2449e0e98c9a2cbac468418
#        - ff8a79259ebb967de71e2373a8b6d3e81c20d315786db3490ab6c1d960900fcf
#      - Globeimposter:
#        - 581215dc02a6467441daffde020d36cc03b0c4bd2272364b05d10768b8f37599
#    - Documents:
#      - Wave 1:
#        - 0a3bd5e5a425fc8a00cc0883d9f1e87ee469f9061a6fe816e7224d784dc409bd
#        - 16d7e49cbc04ce76e31d07f02d054cfceee377c364f42a3559652e267d1ff7b3
#        - 2ae34bd669b94e44c05d9e66db891f93f0495e87e2288aa6effb985b1b5c55c0
#        - 2c420d70e2589d1561b66fd009e30aa5b2c81304852362cbe5b777cff38f77c1
#        - 303f66da4b9caa6d5922c91d3d0e8989a985f6645e373ef337aa5b1acd7c4137
#        - 3290dabd51e3b955c77165f320ea8822071166a7858b44ca1dddd69be60b8432
#        - 36c587c287455ffcec5fa8312382a08edaf8a1750f3aee494a46c4586e372841
#        - 38ebf5bacb9f6204f414349b567328ef95948a52a17c8ddccf3788d042a33a3a
#        - 3cc2836855a14152c13ae78953ce224ba5455d5c02829eb1e5132a4d171f4f9d
#        - 418a48c797af6dcc6e91b6deedba5d15698550bb19ac6c4c3f9829e5ad856cdb
#        - 42c5188ccc7e2be596489fe4d15993341047aee0fc5ef954f46334491bc954cc
#        - 43a60edc57e815b6abb434dac8b5dff5a06f81641008ab4390530f0a93b8ea27
#        - 467db458d2992a837c705160fb4419a0b8bb137d73493dbd701a908f34503121
#        - 4ba7037dff6d16576df96cb8e438b390a3454e06efaf8cfb7c755a00affb5592
#        - 6426a1657c5db5f94e2cc1407ececee1aeb9895e07a625cd30ef1da87a349886
#        - 663790530c6b76dc5f024bd9ba435fb502069333c86bedf444fec5e99ae22386
#        - 67fb65a9eeaae1e25a3ac286f09372b90f25fecae6d432be8791a08fad1a60f0
#        - 6b857b6e20ac919c4c6f119b7bcbf8ecff4b1715bc02d5a1de7258ba400112c2
#        - 72c74f28d1e75e736f3a07b393042ae375cc485d71e19b38545b139b4618a0f1
#        - 89dc2c1e1a37a03ad9aed7de09e4ca9b19b83714a88274aee758905ea3413fcb
#        - 963d20cb463516ff6825b3b6467d4a6faa7b2838b6ddfae84b2cde26fd801802
#        - 9a82fb6f0022f0214f40297f0debb6b0b4b7ecd04ed0c2f2744f5900ba13f6d8
#        - 9b0fdee2693b0a640fd0accaba9040dda675673f137558a3dfea78de4826a3db
#        - 9e771e67805108af6648f03aa7830bb1cefded2c9c8a3f42245bb6e42d75508d
#        - 9eff3cd6112a0d9ddb652303dbd14a5a0fef1dce48ef74ad96e14142798fb435
#        - 9fd2515ad0a83165fca69406d7f40634c1e1682ce30646dfb54b398ead0dbee0
#        - a0f1101756a3dd503016dc49f189b54824b8a2a00c72d43eeb016979fd56df1d
#        - b236ed44a0a4a4c7069081793b13bac1cc6bec7d8bedcb3f27d85d9cb8796d35
#        - bc43872980e81092e362beaa3415668336140d58aad5d7d11d338a22872412c2
#        - cac9b1ebaabb8372a123b2b03c2f13edc89b7da16e92f5f6283dc2b124c7437b
#        - caf6911acae50abcabe248286d519adcf283372b7780b067b34ae4e3889c04d6
#        - ce0c07d6c1cece547f5ba73652061dc9e24de6df1cbc95e4538e69d068da8bfe
#        - d461db3512852240a60496db0e262692afb008aab5734a37a326ae9c878014c9
#        - d5f3470a57360fc7a65a32e206e6313c8f38493797d514a46b4acb2ff12bc97d
#        - e61258a4af873b1e4bb0b5338b1a7c0aef619a2335f0f165923d010a95c23962
#        - e996506f8d82e8740ec2fc94c4ffb12590e371c29535a21848232553bc5a12ab
#        - ebbbdb200d7ac3a87a01e2349e002f4065ff1c64d25049f4197b6b1d00dc07d4
#        - f4b91a3def12d2b93c2912d8ee13b24145c606c43a2f93c744cc30287f94f402
#        - f4f2f952b56abeb5b78cac6b4779a936701d0910ca776474dd09d5192ed0657d
#        - f5db2b33bf62bb12131b30d8a835635d1fa8fc545d14a6f6b043adacdb3346e2
#        - fa025e0d676f44e8783f4770bb608acc6c7cf3614afa42d152c80df6e287a188
#        - fae96b8f8ec924240cd7c3a1c891b6dbd1eee4ecd29a2fa462558fbfd183d711
#        - 16f198ceb37bc0895c460aa23988ef5a779233748655a0327a6848b21150b9c4
#        - 1a3a93b5ecad24a85fb0aa7b11680e001c3eb6298fd45d78fa8ee5ba89802552
#        - 2136103258f525ba8af1da78758fd38fcb5d71db8ba79bc474c43f903ad2eda7
#        - 252b1ee1e13685c5dcf02e93a1b6b4218a090f57c8e81e8c35d37e865a724610
#        - 309957d87b65b5a2ca664a462e5a75955258e7b458187e077a5c3e1108c5d4fe
#        - 50186496a534f105fca2025e66bf7abf04ec551841c226f1d4115b092c6c2d28
#        - 59608665843f73fd589b3b9cc65ccc269995a95763d0e3d3daa0f66b4914c243
#        - 6dcb1db55dc6805cbfd6c2b45529ad434920c1fd69711edae69344933a453924
#        - 8011796c2d9804c44af5eb394f99803e5334d41fc96865c58dbf6c8791038d9f
#        - 838c204e757675756c075982f3a46e72e4c9ec6aeefa17f27524983ef570df11
#        - 84d8ec5c4bffde2b9668169bbe9f0034ea060e9ada80117a1f02715b0efc29ca
#        - 932b0e9d7b26a15c568331b6945559f890948cd3edf882beb8aea6cb8552f589
#        - a6b0e1a4feef084b7f6ddc285a063ebff26b5871a0f78708150ea01a13f5d41b
#        - b3818a23ac993df769d8568c6bde8a2d4faa227e6f7ea40d6b70d2db5b079fe7
#        - bddc64c4242dbd259f0cf8db72b135876cda2120786d9ebac3a98efc0cfbc1b8
#        - e9c7388da11ca6c9be89d5365fca48505ebeec337f4789938a23fb6d1d1b474c
#        - f3951eb25f28b98f67dd4c04dcc1266baedac8c4aa6d0edba3332731ad24bf86
#      - Wave 2 (ongoing):
#        - 034ed97024fa0f41cc247c95bf0dd4ad5e1f4ba99e344434e69d31d58836e3ff
#        - 0367d9bd7daf286fb52e3ead6041d4bda4391d6d14b19bcafd83a9ad82a32ec7
#        - 1d11562191706d240e557264d5ccc464c5eb1ac822ea2be3e0d63a485517d541
#        - 25b396aa5d9a708333ed195ec8f5d0f1d4cdd8c908cdf784d9ee96b7e870b260
#        - 298a69c508f6414ca4b5f62fa0066e044c2c6c7bbe18b6d6dca9ad452ae16009
#        - 39c30eb16593dad64200669f23cd9e8584610bd839960c9290f5fb6fc89b459c
#        - 39eda86eaae6d4777d6a3c1b4f023eb799c02716a8bc2d16f8a264775e1b7ca5
#        - 3fc14bea6f47c60b0dc3fdb23514518ebc5230140025195bc7ea4dff9e16e57f
#        - 4ef818ce260cdb326e0ea815f798dd4f865ce762fad52b698314e6187dfdd107
#        - 50abb13ce6129d533b0e717a402ace5c858d2d921240f150f6bf9ad7146e80fd
#        - 6e336190252ea55aab4f56918f06bb61f63dc8905c0c941f8246fe6b6da50bce
#        - 84c8af0a8d76e80b2fe4e3e83c265c924d10a05097fb67ba56ea8c15201891bb
#        - 9343af1481da20e3006683be0c05ffa09cce041e58a1fb91e2bdb9b25238d8cc
#        - 9f307ef50987f61e6bc17b910e778e9029fadad8529cb33594e9e0e3c235cf96
#        - a62599faa0800fd0cc081b340ec4c8ddbbdfe5a886a339bac31a0ec70b1b7f2e
#        - c70bfee8b0270f5d1bc000b402d3cb38fe657633fed56c712030da3da6cd348c
#        - e0a7f939caf83a23d098cfa7c4e41865fa023054350e3366e69a8f2b2d847b00
#        - f97a05d8b4a789aec48146548c295d70cc6e540e99840da1fcc7f2d81e2d9934
#        - fcf09fc1b7b555e132c3664ae74965333afb4abcbfb0f41befaa347e0e5c45e7
# Notes:
#   - ClamAV/Yara are mostly useful for retrospective detection.
#   - Excluded pcre from 8000421.
#   - All documents have the password 1234

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym download attempt"; 
flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|T|00|I|00|P|00|O|00|F|00|D|00|A|00|Y|00 
2E 00|T|00|X|00|T"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000420; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym download attempt"; 
flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Command"; content:"|00 00 00|Command"; 
within:15; fast_pattern; content:"|00 00 00|Command"; within:15; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000421; rev:1;)

# --------------------
# Date: 2018-11-17
# Title: Win.Trojan.Pterodo
# Reference: Triage from:
#   - https://cert.gov.ua/news/42
#   - https://cert.gov.ua/news/46
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Trojan_Pterodo_Dropper
#   - MALWARE_Win_Trojan_Pterodo_CMD_CNC
#   - MALWARE_Win_Trojan_Pterodo_CMD_OPS
#   - MALWARE_Win_Trojan_Pterodo_LNK
#   - MALWARE_Win_Trojan_Pterodo_BIN
#   - MALWARE_Win_Trojan_Pterodo_CNC
#   - MALWARE_Win_Trojan_Pterodo_Decoy_MSGSC
# ClamAV:
#   - MALWARE_Win.Trojan.Pterodo_Dropper
#   - MALWARE_Win.Trojan.Pterodo_CMD_CNC
#   - MALWARE_Win.Trojan.Pterodo_CMD_OPS
#   - MALWARE_Win.Trojan.Pterodo_LNK
#   - MALWARE_Win.Trojan.Pterodo_BIN
#   - MALWARE_Win_Trojan.Pterodo_CNC
# Hashes:
#   - Droppers:
#     - 17f686c72e588a241f9758ceec770c62ee36b34c5f273be151b416092f4cac64
#     - 1b00cf03f26724d9e9cff35a8d3d2e42f2518827e9564513b348fc163de153b6
#     - 3fc9a48e89aa48099d424fe38a9816b75663f896eb11d3c6f1a7cce76eecd8e9
#     - 47b39dbbe6f14712bee4fdff325950d7385b139b8c53a1305b6cd40a91c2512b
#     - 7133867028f29a10aeea86582c5b6f049b8ec732cdbd7d7a39f49d798263575c
#     - a327a6dc51586378b63215512fbf7989438ee7bdd257b530ab9d6cc9f1f8e8fa
#     - fd347cb68a35625d61cee7f60e325ca73588f7e23d18fb8fdfbdec8a77b435ca
#   - Artifacts dropped:
#     - 169bb1e9fa5c1c08ea73869fda23e99b98b38724520d9f3daa765236f2c67834
#     - 24bde2ce803851840ee00f93f002537b194a6dd4a88ea2799b76b773f4bb6621
#     - 2ff5c7761871690361d90046f8eba4a7bba8b68e89f497ae67b8d658250b5ad9
#     - 614879e46fad0002aeb6a650998f575f4f0daa21f25add9a9e03ed1cc0639e40
#     - 6242dd2cfbc23f2fd8eeab2347e2578d45df1a210018771f7baba4bf409adb4b
#     - 703d45fb4855f0806ae299c1ccf1793f446a1a213e4e1ab476db43a65c2b984b
#     - 7264e8683a49617d4b0c701f891707d5711d0db65d0fc248f3b8a39273b07019
#     - 7f3753ce50a292fe64451fe7ea2615c6c7d5d81d1a4a76879aa298d9d4f819c7
#     - 8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0
#     - 8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0
#     - 8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0
#     - af8bf2df475ff84c42d17d104419ff8a40ddbf1e1e9af08b2df7fe34d510cb52
#     - b633c02dc34347a0bfc951492eeba6fc3216477a59c3878f6f0f155ed5ea18cb
#     - be18d809058f2733454cf3bcf225de5fd866594a7ee27031bd2ab4c1cb659e96
#     - c4ceb4486f70c6ff244501bb727ae7c9b9a8468f4cd2ced36f0b2e11f275e8f2
#     - c9ac6d5e08c80be4f7b192b5baa9e0b338e2b44789079340cd8f1152038919b2
#     - d4769e197fa34593f8dd100d010d039926696b28dc01850af1adf90ab54a176d
#     - e71a0b2b4064f3fc28bda051f26afee44e559251010473510934e7cba0f1c3f4
#     - eccef38cd872e5f541040be26c79ce1daa3d21c97a76b52a15100a19c0920cc0
# Notes:
#   - More intel in Yara/ClamAV signatures.
#   - While the droppers are decompressed by ClamAV,
#     a sig was created for them.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pterodo variant outbound connection 
attempt"; flow:to_server,established; content:"versiya="; fast_pattern:only; http_client_body; content:"sysinfo="; 
http_client_body; content:"comp="; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000422; rev:1;)

# --------------------
# Date: 2018-11-27
# Title: Hiding a beacon in a jquery
# Reference: Triage from:
#   - https://sysopfb.github.io/malware,/reverse-engineering/2018/10/08/Beacon-in-a-jquery.html
#   - http://threatexpress.com/2018/09/a-deep-dive-into-cobalt-strike-malleable-c2/
# Tests: pcaps
# Yara: NA
# ClamAV: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC CobaltStrike variant outbound beacon request"; 
flow:to_server,established; content:"/jquery-"; content:"Accept-Encoding: gzip, deflate|0D 0A|Cookie: __cfduid="; 
pcre:"/__cfduid=[a-z0-9-_]{170,}/mi";  metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000423; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC CobaltStrike variant inbound beacon response"; 
flow:to_client,established; file_data; content:"|3B|return-1|7D|,P=|22 0D|"; fast_pattern; content:!"|22|"; 
within:30; pcre:"/\x3breturn-1\x7d,P=\x22\x0d[^\x20-\x7a]{8}/"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000424; rev:1;)


Hi Yaser,

Thanks so much for the contributions, we'll get these into testing.
We'd appreciate any
pcaps, etc you'd be willing to share!  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 019 Y M via Snort-sigs (Nov 27)
- Re: Multiple signatures 019 Marcos Rodriguez (Nov 27)