Snort mailing list archives
Win.Backdoor.Joanap
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 4 Jun 2018 17:21:14 +0000
Hi, The below signatures are for the Joanap backdoor. No luck with Brambul or Duuzer. Looking at the memory dumps they appear to use the same email medium for C&C with different email addresses. The SMTP C&C sig'ed below was in plaintext for some reason. Pcap is available for this one. # -------------------- # Date: 2018-06-02 # Title: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm # Tests: pcap # Reference: https://www.us-cert.gov/ncas/alerts/TA18-149A, https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers # Hashes: # Win.Backdoor.Joanap: # - https://www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection # - https://www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection # Win.Worm.Brambul: NA # Win.Backdoor.Duuzer: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Joanap outbound connection"; flow:to_server,established; content:"User-Agent: DavClnt"; fast_pattern:only; http_header; content:"translate: "; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; classtype:trojan-activity; sid:8000102; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Backdoor.Joanap outbound connection"; flow:to_server,established; content:"TO: Joana "; content:"SUBJECT: |5B|T|5D|"; metadata:ruleset community, service smtp; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; classtype:trojan-activity; sid:8000103; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Backdoor.Joanap Y M via Snort-sigs (Jun 04)
- Re: Win.Backdoor.Joanap Alex McDonnell (Jun 07)
- Re: Win.Backdoor.Joanap Y M via Snort-sigs (Jun 07)
- Re: Win.Backdoor.Joanap Alex McDonnell (Jun 07)