Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 026

From: Matthew Mickel <mmickel () sourcefire com>
Date: Wed, 27 Mar 2019 13:36:41 -0400
Hi, Yaser-

Thanks for your submissions.  We will test these rules and get back to you
when we've finished.  Any PCAPs and ClamAV/Yara sigs you can provide are
greatly appreciated.  Best,

Matt Mickel

On Mon, Mar 25, 2019 at 12:53 PM Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hello,

PCAPs and Yara/ClamAV signatures are available for the below cases. The
last case has PCAPs only.

Thank you
YM

# --------------------
# Title: Interesting builders/packers/obfuscators recently observed
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - INDICATOR_DotNet_Excutable_Packed_LibZ
#   - INDICATOR_Excutable_Packed_aPLib
#   - INDICATOR_DotNet_Executable_Packed_SmartAssembly
#   - INDICATOR_Excutable_Packed_ConfuserEx
# ClamAV:
#   - INDICATOR_DotNet_Excutable_Packed_LibZ
#   - INDICATOR_Excutable_Packed_aPLib
#   - CL_TYPE_APLIB (.ftm)
#   - INDICATOR_DotNet_Executable_Packed_SmartAssembly
#   - INDICATOR_Excutable_Packed_ConfuserEx
# Hashes:
#   - b992af642830ad5c2aa1ae75f556a3d238734c38ef0d6c3cfc2b889f91c39f0c
(LibZ)
#   - cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6
(aPLib)
#   - 3149e5bba6530fa8acbf36367fd05f0eb2ee98352c2ed59aef316c28f0663d76
(ConfuserEx)
#   - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388
(SmartAssembly)
#   - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54
(SmartAssembly)
#   - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc
(SmartAssembly)
#   - 11e1997516981fa26de559e67dc30113388e01e6782349ebf450d1d1a12d02ec
(SmartAssembly)
#   - 3f924b7f7e4d5a880d22a7045e086164eafc1c22075e805bf16769a41d085bc6
(SmartAssembly)
#   - 40390351d2356586a46c5224e0ec8e27bd6e143ade9a33fe65e14035f237f9a3
(SmartAssembly)
#   - 447f6d1dc4404e993f92d1abd074be35933bf2fdafce8c13d3c75183fe82d609
(SmartAssembly)
#   - 58ee50cdefcc187ce88afc7ecbe852946bcac4da013cb9f70bc86428bc1c38f4
(SmartAssembly)
#   - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1
(SmartAssembly)
#   - 738fe3c58d18e7cbff96ffb0752c9e48452693149630f397d3dde2f7a9e2ebae
(SmartAssembly)
#   - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b
(SmartAssembly)
#   - 9a532e661cb26bb378398054833bb3f651b70116fb09c1a33ab37f3a4015c08c
(SmartAssembly)
#   - 9cf0d90dc29120c48b75eddd14456cb14d4909e8c1fff4abb3d16faac3db391a
(SmartAssembly)
#   - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a
(SmartAssembly)
#   - b0f39235a850657fbfbc528c5387943e8f4edd7867cfe0447610d71436b14157
(SmartAssembly)
#   - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e
(SmartAssembly)
#   - b6e788666a29a323c394c1f34fa2c9965dcdd061d7a14a90152e0e4fa7740272
(SmartAssembly)
#   - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d
(SmartAssembly)
#   - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4
(SmartAssembly)
#   - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6
(SmartAssembly)
#   - becae163b3aebb08e6d0791f2a61cbe3237396de09227ce23ef4ac5be0699c38
(SmartAssembly)
#   - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0
(SmartAssembly)
#   - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66
(SmartAssembly)
#   - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb
(SmartAssembly)
#   - fdc4ff89d5c5da312194bddb810e1577942ca3469c4a6b9e4c24197e7af55832
(SmartAssembly)
#   - ffba654b4866244700bb17993eee63f3a9439ffd40e6ac7ae77cc1ccd685c284
(SmartAssembly)
#   - ffc18bfc45608505c5a3a9777f675e52818d794286953ceb3cdace93179ca7d8
(SmartAssembly)
# Notes:
#   - LibZ is an alternative to ILMerge. This was observed merging
#     Win.Trojan.NanoCore and Win.Trojan.Pony into a single binary.
#   - ConfuserEx was observed packing a NanoCore sample.
#   - SmartAssemly is observed with many HawkEye, NanoCore, Azorult.
#     It's signature below is probably the weakest of them all as there
#     maybe recent variations to it.
#   - aPLib was observed with Win.Trojan.Ursnif.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet
executable built with LibZ detected"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer";
fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0;
metadata:ruleset community, service smtp; classtype:trojan-activity;
sid:8000563; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY DotNet executable built with LibZ detected";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"|00|LibZInitializer"; fast_pattern:only;
content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000564; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet
executable packed with aPLib detected"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|";
fast_pattern:only; content:"M8Z"; within:35; metadata:ruleset community,
service smtp; classtype:trojan-activity; sid:8000565; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY executable packed with aPLib detected";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z";
within:35; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000566; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY file packed with aPLib detected";
flow:to_client,established; file_data; content:"|41 50 33 32 18 00 00 00|";
fast_pattern:only; content:"M8Z"; distance:16; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000567; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY
executable packed with ConfuserEx detected"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|";
fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community,
service smtp; classtype:trojan-activity; sid:8000568; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY executable packed with ConfuserEx detected";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"|00|ConfusedByAttribute|00|"; fast_pattern:only;
content:"ConfuserEx v"; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000569; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY
executable packed with SmartAssembly detected"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"QSystem.Drawing,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a";
content:"|00 00 00 0F 03 00 00 00|"; content:"|49 44 41 54 48 4b ed|";
within:215; detection_filter:track by_dst, count 25, seconds 10;
metadata:ruleset community, service smtp; classtype:trojan-activity;
sid:8000570; rev:1;)

# --------------------
# Title: Win.Ransomware.Lockergoga
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - MALWARE_Win_Ransomware_Lockergoga
# ClamAV:
#   - MALWARE_Win.Ransomware.Lockergoga
# Hashes:
#   - 14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca
#   - 47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4
#   - 5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c
#   - 6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77
#   - 7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125
#   - 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
#   - 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
#   - 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
#   - ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f
#   - bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
#   - c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a
#   - c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4
#   - c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
#   - eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
#   - f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192
# Notes:
#   - Existing Yara rule
INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     hits on newer samples 65d5dd067e and c97d9bbc80.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Win.Ransomware.Lockergoga binary download attempt";
flow:to_server,established; flowbits:isset,file.exe; file_data;
content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 00 20 3a 20 00 73 63
61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72
6d 69 6e 67 20 75 70 2e 2e 2e 00 00 00|"; fast_pattern:only;
metadata:ruleset community, service smtp; classtype:trojan-activity;
sid:8000571; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 00 20 3a 20 00 73 63
61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72
6d 69 6e 67 20 75 70 2e 2e 2e 00 00 00|"; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000572; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Win.Ransomware.Lockergoga binary download attempt";
flow:to_server,established; flowbits:isset,file.exe; file_data;
content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 74 61 6c 3a 20|";
content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70
74 69 6e 67 3a 21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00
00 52 45 41 44|"; metadata:ruleset community, service smtp;
classtype:trojan-activity; sid:8000573; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 74 61 6c 3a 20|";
content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70
74 69 6e 67 3a 21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00
00 52 45 41 44|"; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000574; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Win.Ransomware.Lockergoga binary download attempt";
flow:to_server,established; flowbits:isset,file.exe; file_data;
content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 00 65 6e 63 72 79 70
74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72
69 74 69 6e 67 20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community,
service smtp; classtype:trojan-activity; sid:8000575; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 00 65 6e 63 72 79 70
74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72
69 74 69 6e 67 20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community,
service http; classtype:trojan-activity; sid:8000576; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC
Win.Ransomware.Lockergoga binary download attempt";
flow:to_server,established; flowbits:isset,file.exe; file_data;
content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 78 76 24 2b 78 76 2b
24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76
78 2b 76 20 24 2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|";
within:100; metadata:ruleset community, service smtp;
classtype:trojan-activity; sid:8000577; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt";
flow:to_client,established; flowbits:isset,file.exe; file_data;
content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 78 76 24 2b 78 76 2b
24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76
78 2b 76 20 24 2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|";
within:100; metadata:ruleset community, service http;
classtype:trojan-activity; sid:8000578; rev:1;)

# --------------------
# Title: Win.Ransomware.GoldenAxe
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Ransomware_GoldenAxe
# ClamAV:
#   - MALWARE_Win.Ransomware.GoldenAxe
# Hashes:
#   - c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2
(upx-packed)
#   - 46ea76c6512812d222a7e5c60419358e59bd92fd57f6222dd07ad857d9f1c679
(upx-unpacked)
#   - e9f65336508538d3556346e481c8c05ad11ec4eb4e80418fdd9e726db1433639
(upx-packed)
#   - 09cc6841fdfdade881931f0e4a45a127d344eff85b113922e614350f9a3136d5
(upx-unpacked)
# Notes:
#   - Existing Yara rule
INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     generates postiive hits against the unpacked binaries.
#   - Potential (older) candidates:
#     - 3fa4b6d0419d69d0c35532f40b358c3af7315397e8952851442af523d69d49ec
#     - 6c3ac5aa7b80167d42f4c779670df9a538704243a6ce605372ae757793a1e996
#     - 7c9bc791c097ab708fd13738b2acd57620a73c8a2f905c5f14a412044b3b6d09

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.GoldenAxe post compromise outbound connection - Encryption
Start"; flow:to_server,established; urilen:1; content:"Referer: Encryption
Start - "; fast_pattern:only; http_header; content:!"Connection";
http_header; content:!"Content-Type"; http_header; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000579; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.GoldenAxe post compromise outbound connection - Encryption
Finish"; flow:to_server,established; urilen:1; content:"Referer: Encryption
Finish|0D 0A|"; fast_pattern:only; http_header; content:!"Connection";
http_header; content:!"Content-Type"; http_header; metadata:ruleset
community, service http; classtype:trojan-activity; sid:8000580; rev:1;)

# --------------------
# Title: Win.Trojan.Emotet
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes:
#   - 6161a873da7602ac56bb8a8c2c897c4e7858c002e53166f84796d38359407654
#   - e700bf3681af434cb7cf77fbd0b6876ebd92d7882e36d85c5af5ba1ba6df72b5

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Emotet outbound connection attempt"; flow:to_server,established;
content:"/ HTTP/1.1|0D 0A|Referer:"; content:"Content-Type:
application/x-www-form-urlencoded|0D 0A|DNT: 1|0D 0A|User-Agent: Mozilla/";
http_header; content:"Connection: Keep-Alive|0D 0A|Cache-Control:
no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header;
content:"POST"; http_method; pcre:"/[A-Z0-9a-z]=.+%2(F|B)/P";
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000581; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: