Snort mailing list archives
Re: Multiple signatures 019
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 27 Nov 2018 10:47:17 -0500
On Tue, Nov 27, 2018 at 8:13 AM Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
Hi, Hope everyone had a great Thanksgiving holiday, if you had one. Pcaps are available for all the cases. ClamAV/Yara signatures are available for all cases except the last one. Thank you. YM # -------------------- # Date: 2018-11-15 # Title: Enter The Darkgate: New Cryptocurrency Mining And Ransomware Campaign # Reference: Triage from: https://blog.ensilo.com/darkgate-malware # Tests: pcaps # Yara: # - MALWARE_VB_Agent_Embedded_B64_BIN_SC # ClamAV: # - MALWARE_VB.Agent_Embedded_B64_BIN_SC_VAR1 # - MALWARE_VB.Agent_Embedded_B64_BIN_SC_VAR2 # Hashes: # - 2264c2f2c2d5a0d6d62c33cadb848305a8fff81cdd79c4d7560021cfb304a121 # - 3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b # - 908f2dfed6c122b46e946fe8839feb9218cb095f180f86c43659448e2f709fc7 # - b0542a719c6b2fc575915e9e4c58920cf999ba5c3f5345617818a9dc14a378b4 # - c88eab30fa03c44b567bcb4e659a60ee0fe5d98664816c70e3b6e8d79169cbea # Notes: # - Added 2222 and 9061 to stream5 and http_inspect. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC VB.Trojan.Agent DarkGate outbound connection"; flow:to_server,established; content:"POST / HTTP/1.0"; depth:15; content:"Mozilla/4.0"; http_header; content:"id="; http_client_body; content:"&data="; http_client_body; content:"&action="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000418; rev:1;) # -------------------- # Date: 2018-11-17 # Title: New Strain of Olympic Destroyer Droppers # Reference: Triage from: https://research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/ # Tests: pcaps # Yara: # - MALWARE_Doc_Dropper_Hades # ClamAV: # - MALWARE_Doc.Dropper.Hades # Hashes: # - 02017a5216d0726471de5ecca0610fa25d946148476b6af172c786b29b87c88e # - 08980ed1a4c3f6a6f8f5fb210a82f68a6d71dd4689fd198b54387a9de461c858 # - a6678a676d6a55833aa63233b3bae53fd7825c3c8afc4d015a2ca8296baee31a # - b85027de6871e2ed1a2154edb645fd016807989b44107fc2804eb6e9acce3b9d # - c0137e41f9d1b165c57e76714bb44e4ca4de2f8f83f6fd4bd34c90ed01553764 # Notes: # - SID 44564 may need updates as follows: # pcre:"/^session(id)?=[a-zA-Z0-9\+\/]{27,28}=$/Cmi" alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Doc.Hades malicious document download attempt"; flow:to_server,established; file_data; content:"|00 41 63 74 69 76 65 44 6F 63 75 6D 65 6E 74 D3 5C 10 00 06|"; fast_pattern; content:"|53 68 61 70 65 73 FB 3C 10 00|"; within:20; content:"|43 6F 75 6e 74 30 76 10 00 04 00 49 74 65 6D D7 7A 10 00 06|"; within:50; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000419; rev:1;) # -------------------- # Date: 2018-11-22 # Title: Encrypted documents with various payloads # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Doc_Dropper_Enc # - MALWARE_Win_Trojan_GozNym # - MALWARE_Win_Ransomware_Globeimposter # ClamAV: # - MALWARE_Doc.Dropper.Enc # - MALWARE_Win.Trojan.GozNym # - MALWARE_Win.Ransomware.Globeimposter # Hashes: # - Binaries: # - GozNym # - 23f94f297ff9424592eb9e448a54e3ea2dbcfb48643c9ae57988e6c04f86fe38 # - 7062d7960163491d06dee3deffeaff62466f496c3f7b6c831e38361863189cff # - 85ca2e76fe2b63c6c070002b425b06c39950e0d5d616f98f270217abeb24cc60 # - c8a873f2e653f0bbfe42dbe8e0d7649a26949b43b2449e0e98c9a2cbac468418 # - ff8a79259ebb967de71e2373a8b6d3e81c20d315786db3490ab6c1d960900fcf # - Globeimposter: # - 581215dc02a6467441daffde020d36cc03b0c4bd2272364b05d10768b8f37599 # - Documents: # - Wave 1: # - 0a3bd5e5a425fc8a00cc0883d9f1e87ee469f9061a6fe816e7224d784dc409bd # - 16d7e49cbc04ce76e31d07f02d054cfceee377c364f42a3559652e267d1ff7b3 # - 2ae34bd669b94e44c05d9e66db891f93f0495e87e2288aa6effb985b1b5c55c0 # - 2c420d70e2589d1561b66fd009e30aa5b2c81304852362cbe5b777cff38f77c1 # - 303f66da4b9caa6d5922c91d3d0e8989a985f6645e373ef337aa5b1acd7c4137 # - 3290dabd51e3b955c77165f320ea8822071166a7858b44ca1dddd69be60b8432 # - 36c587c287455ffcec5fa8312382a08edaf8a1750f3aee494a46c4586e372841 # - 38ebf5bacb9f6204f414349b567328ef95948a52a17c8ddccf3788d042a33a3a # - 3cc2836855a14152c13ae78953ce224ba5455d5c02829eb1e5132a4d171f4f9d # - 418a48c797af6dcc6e91b6deedba5d15698550bb19ac6c4c3f9829e5ad856cdb # - 42c5188ccc7e2be596489fe4d15993341047aee0fc5ef954f46334491bc954cc # - 43a60edc57e815b6abb434dac8b5dff5a06f81641008ab4390530f0a93b8ea27 # - 467db458d2992a837c705160fb4419a0b8bb137d73493dbd701a908f34503121 # - 4ba7037dff6d16576df96cb8e438b390a3454e06efaf8cfb7c755a00affb5592 # - 6426a1657c5db5f94e2cc1407ececee1aeb9895e07a625cd30ef1da87a349886 # - 663790530c6b76dc5f024bd9ba435fb502069333c86bedf444fec5e99ae22386 # - 67fb65a9eeaae1e25a3ac286f09372b90f25fecae6d432be8791a08fad1a60f0 # - 6b857b6e20ac919c4c6f119b7bcbf8ecff4b1715bc02d5a1de7258ba400112c2 # - 72c74f28d1e75e736f3a07b393042ae375cc485d71e19b38545b139b4618a0f1 # - 89dc2c1e1a37a03ad9aed7de09e4ca9b19b83714a88274aee758905ea3413fcb # - 963d20cb463516ff6825b3b6467d4a6faa7b2838b6ddfae84b2cde26fd801802 # - 9a82fb6f0022f0214f40297f0debb6b0b4b7ecd04ed0c2f2744f5900ba13f6d8 # - 9b0fdee2693b0a640fd0accaba9040dda675673f137558a3dfea78de4826a3db # - 9e771e67805108af6648f03aa7830bb1cefded2c9c8a3f42245bb6e42d75508d # - 9eff3cd6112a0d9ddb652303dbd14a5a0fef1dce48ef74ad96e14142798fb435 # - 9fd2515ad0a83165fca69406d7f40634c1e1682ce30646dfb54b398ead0dbee0 # - a0f1101756a3dd503016dc49f189b54824b8a2a00c72d43eeb016979fd56df1d # - b236ed44a0a4a4c7069081793b13bac1cc6bec7d8bedcb3f27d85d9cb8796d35 # - bc43872980e81092e362beaa3415668336140d58aad5d7d11d338a22872412c2 # - cac9b1ebaabb8372a123b2b03c2f13edc89b7da16e92f5f6283dc2b124c7437b # - caf6911acae50abcabe248286d519adcf283372b7780b067b34ae4e3889c04d6 # - ce0c07d6c1cece547f5ba73652061dc9e24de6df1cbc95e4538e69d068da8bfe # - d461db3512852240a60496db0e262692afb008aab5734a37a326ae9c878014c9 # - d5f3470a57360fc7a65a32e206e6313c8f38493797d514a46b4acb2ff12bc97d # - e61258a4af873b1e4bb0b5338b1a7c0aef619a2335f0f165923d010a95c23962 # - e996506f8d82e8740ec2fc94c4ffb12590e371c29535a21848232553bc5a12ab # - ebbbdb200d7ac3a87a01e2349e002f4065ff1c64d25049f4197b6b1d00dc07d4 # - f4b91a3def12d2b93c2912d8ee13b24145c606c43a2f93c744cc30287f94f402 # - f4f2f952b56abeb5b78cac6b4779a936701d0910ca776474dd09d5192ed0657d # - f5db2b33bf62bb12131b30d8a835635d1fa8fc545d14a6f6b043adacdb3346e2 # - fa025e0d676f44e8783f4770bb608acc6c7cf3614afa42d152c80df6e287a188 # - fae96b8f8ec924240cd7c3a1c891b6dbd1eee4ecd29a2fa462558fbfd183d711 # - 16f198ceb37bc0895c460aa23988ef5a779233748655a0327a6848b21150b9c4 # - 1a3a93b5ecad24a85fb0aa7b11680e001c3eb6298fd45d78fa8ee5ba89802552 # - 2136103258f525ba8af1da78758fd38fcb5d71db8ba79bc474c43f903ad2eda7 # - 252b1ee1e13685c5dcf02e93a1b6b4218a090f57c8e81e8c35d37e865a724610 # - 309957d87b65b5a2ca664a462e5a75955258e7b458187e077a5c3e1108c5d4fe # - 50186496a534f105fca2025e66bf7abf04ec551841c226f1d4115b092c6c2d28 # - 59608665843f73fd589b3b9cc65ccc269995a95763d0e3d3daa0f66b4914c243 # - 6dcb1db55dc6805cbfd6c2b45529ad434920c1fd69711edae69344933a453924 # - 8011796c2d9804c44af5eb394f99803e5334d41fc96865c58dbf6c8791038d9f # - 838c204e757675756c075982f3a46e72e4c9ec6aeefa17f27524983ef570df11 # - 84d8ec5c4bffde2b9668169bbe9f0034ea060e9ada80117a1f02715b0efc29ca # - 932b0e9d7b26a15c568331b6945559f890948cd3edf882beb8aea6cb8552f589 # - a6b0e1a4feef084b7f6ddc285a063ebff26b5871a0f78708150ea01a13f5d41b # - b3818a23ac993df769d8568c6bde8a2d4faa227e6f7ea40d6b70d2db5b079fe7 # - bddc64c4242dbd259f0cf8db72b135876cda2120786d9ebac3a98efc0cfbc1b8 # - e9c7388da11ca6c9be89d5365fca48505ebeec337f4789938a23fb6d1d1b474c # - f3951eb25f28b98f67dd4c04dcc1266baedac8c4aa6d0edba3332731ad24bf86 # - Wave 2 (ongoing): # - 034ed97024fa0f41cc247c95bf0dd4ad5e1f4ba99e344434e69d31d58836e3ff # - 0367d9bd7daf286fb52e3ead6041d4bda4391d6d14b19bcafd83a9ad82a32ec7 # - 1d11562191706d240e557264d5ccc464c5eb1ac822ea2be3e0d63a485517d541 # - 25b396aa5d9a708333ed195ec8f5d0f1d4cdd8c908cdf784d9ee96b7e870b260 # - 298a69c508f6414ca4b5f62fa0066e044c2c6c7bbe18b6d6dca9ad452ae16009 # - 39c30eb16593dad64200669f23cd9e8584610bd839960c9290f5fb6fc89b459c # - 39eda86eaae6d4777d6a3c1b4f023eb799c02716a8bc2d16f8a264775e1b7ca5 # - 3fc14bea6f47c60b0dc3fdb23514518ebc5230140025195bc7ea4dff9e16e57f # - 4ef818ce260cdb326e0ea815f798dd4f865ce762fad52b698314e6187dfdd107 # - 50abb13ce6129d533b0e717a402ace5c858d2d921240f150f6bf9ad7146e80fd # - 6e336190252ea55aab4f56918f06bb61f63dc8905c0c941f8246fe6b6da50bce # - 84c8af0a8d76e80b2fe4e3e83c265c924d10a05097fb67ba56ea8c15201891bb # - 9343af1481da20e3006683be0c05ffa09cce041e58a1fb91e2bdb9b25238d8cc # - 9f307ef50987f61e6bc17b910e778e9029fadad8529cb33594e9e0e3c235cf96 # - a62599faa0800fd0cc081b340ec4c8ddbbdfe5a886a339bac31a0ec70b1b7f2e # - c70bfee8b0270f5d1bc000b402d3cb38fe657633fed56c712030da3da6cd348c # - e0a7f939caf83a23d098cfa7c4e41865fa023054350e3366e69a8f2b2d847b00 # - f97a05d8b4a789aec48146548c295d70cc6e540e99840da1fcc7f2d81e2d9934 # - fcf09fc1b7b555e132c3664ae74965333afb4abcbfb0f41befaa347e0e5c45e7 # Notes: # - ClamAV/Yara are mostly useful for retrospective detection. # - Excluded pcre from 8000421. # - All documents have the password 1234 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|T|00|I|00|P|00|O|00|F|00|D|00|A|00|Y|00 2E 00|T|00|X|00|T"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000420; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Command"; content:"|00 00 00|Command"; within:15; fast_pattern; content:"|00 00 00|Command"; within:15; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000421; rev:1;) # -------------------- # Date: 2018-11-17 # Title: Win.Trojan.Pterodo # Reference: Triage from: # - https://cert.gov.ua/news/42 # - https://cert.gov.ua/news/46 # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Pterodo_Dropper # - MALWARE_Win_Trojan_Pterodo_CMD_CNC # - MALWARE_Win_Trojan_Pterodo_CMD_OPS # - MALWARE_Win_Trojan_Pterodo_LNK # - MALWARE_Win_Trojan_Pterodo_BIN # - MALWARE_Win_Trojan_Pterodo_CNC # - MALWARE_Win_Trojan_Pterodo_Decoy_MSGSC # ClamAV: # - MALWARE_Win.Trojan.Pterodo_Dropper # - MALWARE_Win.Trojan.Pterodo_CMD_CNC # - MALWARE_Win.Trojan.Pterodo_CMD_OPS # - MALWARE_Win.Trojan.Pterodo_LNK # - MALWARE_Win.Trojan.Pterodo_BIN # - MALWARE_Win_Trojan.Pterodo_CNC # Hashes: # - Droppers: # - 17f686c72e588a241f9758ceec770c62ee36b34c5f273be151b416092f4cac64 # - 1b00cf03f26724d9e9cff35a8d3d2e42f2518827e9564513b348fc163de153b6 # - 3fc9a48e89aa48099d424fe38a9816b75663f896eb11d3c6f1a7cce76eecd8e9 # - 47b39dbbe6f14712bee4fdff325950d7385b139b8c53a1305b6cd40a91c2512b # - 7133867028f29a10aeea86582c5b6f049b8ec732cdbd7d7a39f49d798263575c # - a327a6dc51586378b63215512fbf7989438ee7bdd257b530ab9d6cc9f1f8e8fa # - fd347cb68a35625d61cee7f60e325ca73588f7e23d18fb8fdfbdec8a77b435ca # - Artifacts dropped: # - 169bb1e9fa5c1c08ea73869fda23e99b98b38724520d9f3daa765236f2c67834 # - 24bde2ce803851840ee00f93f002537b194a6dd4a88ea2799b76b773f4bb6621 # - 2ff5c7761871690361d90046f8eba4a7bba8b68e89f497ae67b8d658250b5ad9 # - 614879e46fad0002aeb6a650998f575f4f0daa21f25add9a9e03ed1cc0639e40 # - 6242dd2cfbc23f2fd8eeab2347e2578d45df1a210018771f7baba4bf409adb4b # - 703d45fb4855f0806ae299c1ccf1793f446a1a213e4e1ab476db43a65c2b984b # - 7264e8683a49617d4b0c701f891707d5711d0db65d0fc248f3b8a39273b07019 # - 7f3753ce50a292fe64451fe7ea2615c6c7d5d81d1a4a76879aa298d9d4f819c7 # - 8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0 # - 8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0 # - 8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0 # - af8bf2df475ff84c42d17d104419ff8a40ddbf1e1e9af08b2df7fe34d510cb52 # - b633c02dc34347a0bfc951492eeba6fc3216477a59c3878f6f0f155ed5ea18cb # - be18d809058f2733454cf3bcf225de5fd866594a7ee27031bd2ab4c1cb659e96 # - c4ceb4486f70c6ff244501bb727ae7c9b9a8468f4cd2ced36f0b2e11f275e8f2 # - c9ac6d5e08c80be4f7b192b5baa9e0b338e2b44789079340cd8f1152038919b2 # - d4769e197fa34593f8dd100d010d039926696b28dc01850af1adf90ab54a176d # - e71a0b2b4064f3fc28bda051f26afee44e559251010473510934e7cba0f1c3f4 # - eccef38cd872e5f541040be26c79ce1daa3d21c97a76b52a15100a19c0920cc0 # Notes: # - More intel in Yara/ClamAV signatures. # - While the droppers are decompressed by ClamAV, # a sig was created for them. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pterodo variant outbound connection attempt"; flow:to_server,established; content:"versiya="; fast_pattern:only; http_client_body; content:"sysinfo="; http_client_body; content:"comp="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000422; rev:1;) # -------------------- # Date: 2018-11-27 # Title: Hiding a beacon in a jquery # Reference: Triage from: # - https://sysopfb.github.io/malware,/reverse-engineering/2018/10/08/Beacon-in-a-jquery.html # - http://threatexpress.com/2018/09/a-deep-dive-into-cobalt-strike-malleable-c2/ # Tests: pcaps # Yara: NA # ClamAV: NA alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC CobaltStrike variant outbound beacon request"; flow:to_server,established; content:"/jquery-"; content:"Accept-Encoding: gzip, deflate|0D 0A|Cookie: __cfduid="; pcre:"/__cfduid=[a-z0-9-_]{170,}/mi"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000423; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC CobaltStrike variant inbound beacon response"; flow:to_client,established; file_data; content:"|3B|return-1|7D|,P=|22 0D|"; fast_pattern; content:!"|22|"; within:30; pcre:"/\x3breturn-1\x7d,P=\x22\x0d[^\x20-\x7a]{8}/"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000424; rev:1;)
Hi Yaser, Thanks so much for the contributions, we'll get these into testing. We'd appreciate any pcaps, etc you'd be willing to share! Thanks again! -- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 019 Y M via Snort-sigs (Nov 27)
- Re: Multiple signatures 019 Marcos Rodriguez (Nov 27)