Snort mailing list archives
Re: Multiple signatures 026
From: Matthew Mickel <mmickel () sourcefire com>
Date: Wed, 27 Mar 2019 13:36:41 -0400
Hi, Yaser- Thanks for your submissions. We will test these rules and get back to you when we've finished. Any PCAPs and ClamAV/Yara sigs you can provide are greatly appreciated. Best, Matt Mickel On Mon, Mar 25, 2019 at 12:53 PM Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hello, PCAPs and Yara/ClamAV signatures are available for the below cases. The last case has PCAPs only. Thank you YM # -------------------- # Title: Interesting builders/packers/obfuscators recently observed # Reference: Research # Tests: pcaps (file2pcap) # Yara: # - INDICATOR_DotNet_Excutable_Packed_LibZ # - INDICATOR_Excutable_Packed_aPLib # - INDICATOR_DotNet_Executable_Packed_SmartAssembly # - INDICATOR_Excutable_Packed_ConfuserEx # ClamAV: # - INDICATOR_DotNet_Excutable_Packed_LibZ # - INDICATOR_Excutable_Packed_aPLib # - CL_TYPE_APLIB (.ftm) # - INDICATOR_DotNet_Executable_Packed_SmartAssembly # - INDICATOR_Excutable_Packed_ConfuserEx # Hashes: # - b992af642830ad5c2aa1ae75f556a3d238734c38ef0d6c3cfc2b889f91c39f0c (LibZ) # - cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6 (aPLib) # - 3149e5bba6530fa8acbf36367fd05f0eb2ee98352c2ed59aef316c28f0663d76 (ConfuserEx) # - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388 (SmartAssembly) # - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54 (SmartAssembly) # - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc (SmartAssembly) # - 11e1997516981fa26de559e67dc30113388e01e6782349ebf450d1d1a12d02ec (SmartAssembly) # - 3f924b7f7e4d5a880d22a7045e086164eafc1c22075e805bf16769a41d085bc6 (SmartAssembly) # - 40390351d2356586a46c5224e0ec8e27bd6e143ade9a33fe65e14035f237f9a3 (SmartAssembly) # - 447f6d1dc4404e993f92d1abd074be35933bf2fdafce8c13d3c75183fe82d609 (SmartAssembly) # - 58ee50cdefcc187ce88afc7ecbe852946bcac4da013cb9f70bc86428bc1c38f4 (SmartAssembly) # - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1 (SmartAssembly) # - 738fe3c58d18e7cbff96ffb0752c9e48452693149630f397d3dde2f7a9e2ebae (SmartAssembly) # - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b (SmartAssembly) # - 9a532e661cb26bb378398054833bb3f651b70116fb09c1a33ab37f3a4015c08c (SmartAssembly) # - 9cf0d90dc29120c48b75eddd14456cb14d4909e8c1fff4abb3d16faac3db391a (SmartAssembly) # - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a (SmartAssembly) # - b0f39235a850657fbfbc528c5387943e8f4edd7867cfe0447610d71436b14157 (SmartAssembly) # - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e (SmartAssembly) # - b6e788666a29a323c394c1f34fa2c9965dcdd061d7a14a90152e0e4fa7740272 (SmartAssembly) # - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d (SmartAssembly) # - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4 (SmartAssembly) # - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6 (SmartAssembly) # - becae163b3aebb08e6d0791f2a61cbe3237396de09227ce23ef4ac5be0699c38 (SmartAssembly) # - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0 (SmartAssembly) # - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66 (SmartAssembly) # - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb (SmartAssembly) # - fdc4ff89d5c5da312194bddb810e1577942ca3469c4a6b9e4c24197e7af55832 (SmartAssembly) # - ffba654b4866244700bb17993eee63f3a9439ffd40e6ac7ae77cc1ccd685c284 (SmartAssembly) # - ffc18bfc45608505c5a3a9777f675e52818d794286953ceb3cdace93179ca7d8 (SmartAssembly) # Notes: # - LibZ is an alternative to ILMerge. This was observed merging # Win.Trojan.NanoCore and Win.Trojan.Pony into a single binary. # - ConfuserEx was observed packing a NanoCore sample. # - SmartAssemly is observed with many HawkEye, NanoCore, Azorult. # It's signature below is probably the weakest of them all as there # maybe recent variations to it. # - aPLib was observed with Win.Trojan.Ursnif. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable built with LibZ detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000563; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY DotNet executable built with LibZ detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000564; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable packed with aPLib detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; within:35; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000565; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with aPLib detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; within:35; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000566; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY file packed with aPLib detected"; flow:to_client,established; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; distance:16; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000567; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with ConfuserEx detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000568; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with ConfuserEx detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000569; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with SmartAssembly detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"; content:"|00 00 00 0F 03 00 00 00|"; content:"|49 44 41 54 48 4b ed|"; within:215; detection_filter:track by_dst, count 25, seconds 10; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000570; rev:1;) # -------------------- # Title: Win.Ransomware.Lockergoga # Reference: Research # Tests: pcaps (file2pcap) # Yara: # - MALWARE_Win_Ransomware_Lockergoga # ClamAV: # - MALWARE_Win.Ransomware.Lockergoga # Hashes: # - 14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca # - 47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4 # - 5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c # - 6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77 # - 7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125 # - 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26 # - 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f # - 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29 # - ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f # - bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f # - c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a # - c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4 # - c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 # - eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0 # - f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192 # Notes: # - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables # hits on newer samples 65d5dd067e and c97d9bbc80. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 75 70 2e 2e 2e 00 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000571; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 75 70 2e 2e 2e 00 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000572; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000573; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000574; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000575; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000576; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000577; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000578; rev:1;) # -------------------- # Title: Win.Ransomware.GoldenAxe # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Ransomware_GoldenAxe # ClamAV: # - MALWARE_Win.Ransomware.GoldenAxe # Hashes: # - c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2 (upx-packed) # - 46ea76c6512812d222a7e5c60419358e59bd92fd57f6222dd07ad857d9f1c679 (upx-unpacked) # - e9f65336508538d3556346e481c8c05ad11ec4eb4e80418fdd9e726db1433639 (upx-packed) # - 09cc6841fdfdade881931f0e4a45a127d344eff85b113922e614350f9a3136d5 (upx-unpacked) # Notes: # - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables # generates postiive hits against the unpacked binaries. # - Potential (older) candidates: # - 3fa4b6d0419d69d0c35532f40b358c3af7315397e8952851442af523d69d49ec # - 6c3ac5aa7b80167d42f4c779670df9a538704243a6ce605372ae757793a1e996 # - 7c9bc791c097ab708fd13738b2acd57620a73c8a2f905c5f14a412044b3b6d09 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise outbound connection - Encryption Start"; flow:to_server,established; urilen:1; content:"Referer: Encryption Start - "; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000579; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise outbound connection - Encryption Finish"; flow:to_server,established; urilen:1; content:"Referer: Encryption Finish|0D 0A|"; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000580; rev:1;) # -------------------- # Title: Win.Trojan.Emotet # Reference: Research # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: # - 6161a873da7602ac56bb8a8c2c897c4e7858c002e53166f84796d38359407654 # - e700bf3681af434cb7cf77fbd0b6876ebd92d7882e36d85c5af5ba1ba6df72b5 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet outbound connection attempt"; flow:to_server,established; content:"/ HTTP/1.1|0D 0A|Referer:"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|DNT: 1|0D 0A|User-Agent: Mozilla/"; http_header; content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:"POST"; http_method; pcre:"/[A-Z0-9a-z]=.+%2(F|B)/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000581; rev:1;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 026 Y M via Snort-sigs (Mar 25)
- Re: Multiple signatures 026 Matthew Mickel (Mar 27)
- Re: Multiple signatures 026 craig saager via Snort-sigs (Mar 28)
- Re: Multiple signatures 026 Joel Esler (jesler) via Snort-sigs (Mar 28)
- Re: Multiple signatures 026 wkitty42--- via Snort-sigs (Mar 29)
- Re: Multiple signatures 026 craig saager via Snort-sigs (Mar 28)
- Re: Multiple signatures 026 Matthew Mickel (Mar 27)