Snort mailing list archives
Re: Multiple signatures 026
From: craig saager via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 29 Mar 2019 00:31:04 +0000 (UTC)
This is identity theft. I don’t even know who these people are and am going to the authorities. Please advise how to protect my privacy and identity. Sent from Yahoo Mail for iPhone On Wednesday, March 27, 2019, 10:36 AM, Matthew Mickel <mmickel () sourcefire com> wrote: Hi, Yaser- Thanks for your submissions. We will test these rules and get back to you when we've finished. Any PCAPs and ClamAV/Yara sigs you can provide are greatly appreciated. Best, Matt Mickel On Mon, Mar 25, 2019 at 12:53 PM Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hello, PCAPs and Yara/ClamAV signatures are available for the below cases. The last case has PCAPs only. Thank youYM # -------------------- # Title: Interesting builders/packers/obfuscators recently observed # Reference: Research # Tests: pcaps (file2pcap) # Yara: # - INDICATOR_DotNet_Excutable_Packed_LibZ # - INDICATOR_Excutable_Packed_aPLib # - INDICATOR_DotNet_Executable_Packed_SmartAssembly # - INDICATOR_Excutable_Packed_ConfuserEx # ClamAV: # - INDICATOR_DotNet_Excutable_Packed_LibZ # - INDICATOR_Excutable_Packed_aPLib # - CL_TYPE_APLIB (.ftm) # - INDICATOR_DotNet_Executable_Packed_SmartAssembly # - INDICATOR_Excutable_Packed_ConfuserEx # Hashes: # - b992af642830ad5c2aa1ae75f556a3d238734c38ef0d6c3cfc2b889f91c39f0c (LibZ) # - cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6 (aPLib) # - 3149e5bba6530fa8acbf36367fd05f0eb2ee98352c2ed59aef316c28f0663d76 (ConfuserEx) # - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388 (SmartAssembly) # - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54 (SmartAssembly) # - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc (SmartAssembly) # - 11e1997516981fa26de559e67dc30113388e01e6782349ebf450d1d1a12d02ec (SmartAssembly) # - 3f924b7f7e4d5a880d22a7045e086164eafc1c22075e805bf16769a41d085bc6 (SmartAssembly) # - 40390351d2356586a46c5224e0ec8e27bd6e143ade9a33fe65e14035f237f9a3 (SmartAssembly) # - 447f6d1dc4404e993f92d1abd074be35933bf2fdafce8c13d3c75183fe82d609 (SmartAssembly) # - 58ee50cdefcc187ce88afc7ecbe852946bcac4da013cb9f70bc86428bc1c38f4 (SmartAssembly) # - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1 (SmartAssembly) # - 738fe3c58d18e7cbff96ffb0752c9e48452693149630f397d3dde2f7a9e2ebae (SmartAssembly) # - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b (SmartAssembly) # - 9a532e661cb26bb378398054833bb3f651b70116fb09c1a33ab37f3a4015c08c (SmartAssembly) # - 9cf0d90dc29120c48b75eddd14456cb14d4909e8c1fff4abb3d16faac3db391a (SmartAssembly) # - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a (SmartAssembly) # - b0f39235a850657fbfbc528c5387943e8f4edd7867cfe0447610d71436b14157 (SmartAssembly) # - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e (SmartAssembly) # - b6e788666a29a323c394c1f34fa2c9965dcdd061d7a14a90152e0e4fa7740272 (SmartAssembly) # - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d (SmartAssembly) # - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4 (SmartAssembly) # - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6 (SmartAssembly) # - becae163b3aebb08e6d0791f2a61cbe3237396de09227ce23ef4ac5be0699c38 (SmartAssembly) # - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0 (SmartAssembly) # - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66 (SmartAssembly) # - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb (SmartAssembly) # - fdc4ff89d5c5da312194bddb810e1577942ca3469c4a6b9e4c24197e7af55832 (SmartAssembly) # - ffba654b4866244700bb17993eee63f3a9439ffd40e6ac7ae77cc1ccd685c284 (SmartAssembly) # - ffc18bfc45608505c5a3a9777f675e52818d794286953ceb3cdace93179ca7d8 (SmartAssembly) # Notes: # - LibZ is an alternative to ILMerge. This was observed merging # Win.Trojan.NanoCore and Win.Trojan.Pony into a single binary. # - ConfuserEx was observed packing a NanoCore sample. # - SmartAssemly is observed with many HawkEye, NanoCore, Azorult. # It's signature below is probably the weakest of them all as there # maybe recent variations to it. # - aPLib was observed with Win.Trojan.Ursnif. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable built with LibZ detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000563; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY DotNet executable built with LibZ detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000564; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable packed with aPLib detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; within:35; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000565; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with aPLib detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; within:35; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000566; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY file packed with aPLib detected"; flow:to_client,established; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; distance:16; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000567; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with ConfuserEx detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000568; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with ConfuserEx detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000569; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with SmartAssembly detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"; content:"|00 00 00 0F 03 00 00 00|"; content:"|49 44 41 54 48 4b ed|"; within:215; detection_filter:track by_dst, count 25, seconds 10; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000570; rev:1;) # -------------------- # Title: Win.Ransomware.Lockergoga # Reference: Research # Tests: pcaps (file2pcap) # Yara: # - MALWARE_Win_Ransomware_Lockergoga # ClamAV: # - MALWARE_Win.Ransomware.Lockergoga # Hashes: # - 14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca # - 47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4 # - 5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c # - 6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77 # - 7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125 # - 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26 # - 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f # - 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29 # - ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f # - bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f # - c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a # - c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4 # - c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 # - eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0 # - f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192 # Notes: # - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables # hits on newer samples 65d5dd067e and c97d9bbc80. alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 75 70 2e 2e 2e 00 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000571; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 75 70 2e 2e 2e 00 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000572; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000573; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000574; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000575; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000576; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000577; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000578; rev:1;) # -------------------- # Title: Win.Ransomware.GoldenAxe # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Ransomware_GoldenAxe # ClamAV: # - MALWARE_Win.Ransomware.GoldenAxe # Hashes: # - c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2 (upx-packed) # - 46ea76c6512812d222a7e5c60419358e59bd92fd57f6222dd07ad857d9f1c679 (upx-unpacked) # - e9f65336508538d3556346e481c8c05ad11ec4eb4e80418fdd9e726db1433639 (upx-packed) # - 09cc6841fdfdade881931f0e4a45a127d344eff85b113922e614350f9a3136d5 (upx-unpacked) # Notes: # - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables # generates postiive hits against the unpacked binaries. # - Potential (older) candidates: # - 3fa4b6d0419d69d0c35532f40b358c3af7315397e8952851442af523d69d49ec # - 6c3ac5aa7b80167d42f4c779670df9a538704243a6ce605372ae757793a1e996 # - 7c9bc791c097ab708fd13738b2acd57620a73c8a2f905c5f14a412044b3b6d09 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise outbound connection - Encryption Start"; flow:to_server,established; urilen:1; content:"Referer: Encryption Start - "; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000579; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise outbound connection - Encryption Finish"; flow:to_server,established; urilen:1; content:"Referer: Encryption Finish|0D 0A|"; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000580; rev:1;) # -------------------- # Title: Win.Trojan.Emotet # Reference: Research # Tests: pcaps # Yara: NA # ClamAV: NA # Hashes: # - 6161a873da7602ac56bb8a8c2c897c4e7858c002e53166f84796d38359407654 # - e700bf3681af434cb7cf77fbd0b6876ebd92d7882e36d85c5af5ba1ba6df72b5 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet outbound connection attempt"; flow:to_server,established; content:"/ HTTP/1.1|0D 0A|Referer:"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|DNT: 1|0D 0A|User-Agent: Mozilla/"; http_header; content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:"POST"; http_method; pcre:"/[A-Z0-9a-z]=.+%2(F|B)/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000581; rev:1;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 026 Y M via Snort-sigs (Mar 25)
- Re: Multiple signatures 026 Matthew Mickel (Mar 27)
- Re: Multiple signatures 026 craig saager via Snort-sigs (Mar 28)
- Re: Multiple signatures 026 Joel Esler (jesler) via Snort-sigs (Mar 28)
- Re: Multiple signatures 026 wkitty42--- via Snort-sigs (Mar 29)
- Re: Multiple signatures 026 craig saager via Snort-sigs (Mar 28)
- Re: Multiple signatures 026 Matthew Mickel (Mar 27)