Re: [Emerging-Sigs] Dridex sig

[James Lay <jlay () slave-tothe-box net>]

On 2015-06-17 02:40 PM, Joseph Feather wrote:
> Seeing same malware here
> https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/
> [4]
>
> It uses a specific User Agent to pull down the files
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Malware Dridex
> C2"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B|
> WinHttp.WinHttpRequest.5)"; http_header; pcre:"/[0-9]{8}.txt/";
> classtype:trojan-activity;
> reference:url,https://malwr.com/analysis/YjZjNWVmZTg1ZWVjNDdhOTlkZDFlYjk4YWYxODY2NmE/
> [4]; sid:9999999; rev:1;)
>
> -Joe
>
> On Wed, Jun 17, 2015 at 10:49 AM, James Lay <jlay () slave-tothe-box net>
> wrote:
>
> > Meh...keep seeing this base64 encoded WScript, so here's a sig:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"MALWARE-OTHER Dridex WScript Download";
> > flow:established,to_server; content:"|2f|89172387|2e|txt"; http_uri;
> > fast_pattern:only;
> reference:url,malwr.com/analysis/MGRmZmFmNjk1MTNlNDNhN2IwYzEyODFlNWY0ZDAxYmM
> > [1]; classtype:trojan-activity; sid:10000161; rev:1;)
> >
> > If you see this hit, someone on your network has just opened a
> > Dridex word doc in an email. Sanity checked only.
> >
> > James

The more the merrier...thanks Joe.

James


------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!