Snort mailing list archives
Re: [Emerging-Sigs] Dridex sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 17 Jun 2015 14:56:33 -0600
On 2015-06-17 02:40 PM, Joseph Feather wrote:
Seeing same malware here https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/ [4] It uses a specific User Agent to pull down the files alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Malware Dridex C2"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; pcre:"/[0-9]{8}.txt/"; classtype:trojan-activity; reference:url,https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/ [4]; sid:9999999; rev:1;) -Joe On Wed, Jun 17, 2015 at 10:49 AM, James Lay <jlay () slave-tothe-box net> wrote:Meh...keep seeing this base64 encoded WScript, so here's a sig: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Dridex WScript Download"; flow:established,to_server; content:"|2f|89172387|2e|txt"; http_uri; fast_pattern:only;reference:url,malwr.com/analysis/MGRmZmFmNjk1MTNlNDNhN2IwYzEyODFlNWY0ZDAxYmM[1]; classtype:trojan-activity; sid:10000161; rev:1;) If you see this hit, someone on your network has just opened a Dridex word doc in an email. Sanity checked only. James
The more the merrier...thanks Joe. James ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dridex sig James Lay (Jun 17)
- Re: [Emerging-Sigs] Dridex sig Joseph Feather (Jun 18)
- Re: [Emerging-Sigs] Dridex sig James Lay (Jun 17)
- Re: [Emerging-Sigs] Dridex sig Joseph Feather (Jun 18)