Snort mailing list archives
Win.Ransomware.Sage
From: Y M <snort () outlook com>
Date: Fri, 10 Feb 2017 09:12:51 +0000
Hello, This one for Sage "2.0" ransomware performing its post-infection C&C. There are several samples circulating. I have seen references mentioning that Sage is a variant of CryLocker, but some of the samples generate the same UDP traffic observed from Cerber. The ransom notes also resembles that of Cerber. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:" / HTTP/1."; content:"Connection|3A 20|close|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,string,dec,relative; byte_test:3,<,170,0,string,dec,relative; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000824; rev:1;) Thank you. YM
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Ransomware.Sage Y M (Feb 10)
- Re: Win.Ransomware.Sage Tyler Montier (Feb 10)