Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 026

From: craig saager via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 29 Mar 2019 00:31:04 +0000 (UTC)
This is identity theft. I don’t even know who these people are and am going to the authorities. Please advise how to 
protect my privacy and identity.


Sent from Yahoo Mail for iPhone


On Wednesday, March 27, 2019, 10:36 AM, Matthew Mickel <mmickel () sourcefire com> wrote:

Hi, Yaser-
Thanks for your submissions.  We will test these rules and get back to you when we've finished.  Any PCAPs and 
ClamAV/Yara sigs you can provide are greatly appreciated.  Best,
Matt Mickel
On Mon, Mar 25, 2019 at 12:53 PM Y M via Snort-sigs <snort-sigs () lists snort org> wrote:

Hello,
PCAPs and Yara/ClamAV signatures are available for the below cases. The last case has PCAPs only.
Thank youYM
# --------------------
# Title: Interesting builders/packers/obfuscators recently observed
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - INDICATOR_DotNet_Excutable_Packed_LibZ
#   - INDICATOR_Excutable_Packed_aPLib
#   - INDICATOR_DotNet_Executable_Packed_SmartAssembly
#   - INDICATOR_Excutable_Packed_ConfuserEx
# ClamAV:
#   - INDICATOR_DotNet_Excutable_Packed_LibZ
#   - INDICATOR_Excutable_Packed_aPLib
#   - CL_TYPE_APLIB (.ftm)
#   - INDICATOR_DotNet_Executable_Packed_SmartAssembly
#   - INDICATOR_Excutable_Packed_ConfuserEx
# Hashes:
#   - b992af642830ad5c2aa1ae75f556a3d238734c38ef0d6c3cfc2b889f91c39f0c (LibZ)
#   - cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6 (aPLib)
#   - 3149e5bba6530fa8acbf36367fd05f0eb2ee98352c2ed59aef316c28f0663d76 (ConfuserEx)
#   - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388 (SmartAssembly)
#   - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54 (SmartAssembly)
#   - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc (SmartAssembly)
#   - 11e1997516981fa26de559e67dc30113388e01e6782349ebf450d1d1a12d02ec (SmartAssembly)
#   - 3f924b7f7e4d5a880d22a7045e086164eafc1c22075e805bf16769a41d085bc6 (SmartAssembly)
#   - 40390351d2356586a46c5224e0ec8e27bd6e143ade9a33fe65e14035f237f9a3 (SmartAssembly)
#   - 447f6d1dc4404e993f92d1abd074be35933bf2fdafce8c13d3c75183fe82d609 (SmartAssembly)
#   - 58ee50cdefcc187ce88afc7ecbe852946bcac4da013cb9f70bc86428bc1c38f4 (SmartAssembly)
#   - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1 (SmartAssembly)
#   - 738fe3c58d18e7cbff96ffb0752c9e48452693149630f397d3dde2f7a9e2ebae (SmartAssembly)
#   - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b (SmartAssembly)
#   - 9a532e661cb26bb378398054833bb3f651b70116fb09c1a33ab37f3a4015c08c (SmartAssembly)
#   - 9cf0d90dc29120c48b75eddd14456cb14d4909e8c1fff4abb3d16faac3db391a (SmartAssembly)
#   - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a (SmartAssembly)
#   - b0f39235a850657fbfbc528c5387943e8f4edd7867cfe0447610d71436b14157 (SmartAssembly)
#   - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e (SmartAssembly)
#   - b6e788666a29a323c394c1f34fa2c9965dcdd061d7a14a90152e0e4fa7740272 (SmartAssembly)
#   - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d (SmartAssembly)
#   - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4 (SmartAssembly)
#   - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6 (SmartAssembly)
#   - becae163b3aebb08e6d0791f2a61cbe3237396de09227ce23ef4ac5be0699c38 (SmartAssembly)
#   - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0 (SmartAssembly)
#   - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66 (SmartAssembly)
#   - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb (SmartAssembly)
#   - fdc4ff89d5c5da312194bddb810e1577942ca3469c4a6b9e4c24197e7af55832 (SmartAssembly)
#   - ffba654b4866244700bb17993eee63f3a9439ffd40e6ac7ae77cc1ccd685c284 (SmartAssembly)
#   - ffc18bfc45608505c5a3a9777f675e52818d794286953ceb3cdace93179ca7d8 (SmartAssembly)
# Notes:
#   - LibZ is an alternative to ILMerge. This was observed merging
#     Win.Trojan.NanoCore and Win.Trojan.Pony into a single binary.
#   - ConfuserEx was observed packing a NanoCore sample.
#   - SmartAssemly is observed with many HawkEye, NanoCore, Azorult.
#     It's signature below is probably the weakest of them all as there
#     maybe recent variations to it.
#   - aPLib was observed with Win.Trojan.Ursnif.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable built with LibZ detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; fast_pattern:only; 
content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service smtp; classtype:trojan-activity; 
sid:8000563; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY DotNet executable built with LibZ 
detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; 
fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000564; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable packed with aPLib detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; 
content:"M8Z"; within:35; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000565; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with aPLib detected"; 
flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; 
content:"M8Z"; within:35; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000566; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY file packed with aPLib detected"; 
flow:to_client,established; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; 
distance:16; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000567; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with ConfuserEx detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; 
fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service smtp; classtype:trojan-activity; 
sid:8000568; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with ConfuserEx 
detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; 
fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000569; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with SmartAssembly detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"QSystem.Drawing, Version=4.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"; content:"|00 00 00 0F 03 00 00 00|"; content:"|49 44 41 54 48 4b 
ed|"; within:215; detection_filter:track by_dst, count 25, seconds 10; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000570; rev:1;)

# --------------------
# Title: Win.Ransomware.Lockergoga
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - MALWARE_Win_Ransomware_Lockergoga
# ClamAV:
#   - MALWARE_Win.Ransomware.Lockergoga
# Hashes:
#   - 14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca
#   - 47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4
#   - 5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c
#   - 6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77
#   - 7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125
#   - 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
#   - 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
#   - 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
#   - ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f
#   - bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
#   - c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a
#   - c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4
#   - c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
#   - eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
#   - f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192
# Notes:
#   - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     hits on newer samples 65d5dd067e and c97d9bbc80.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 
00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 75 70 2e 
2e 2e 00 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000571; 
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 
2e 2e 2e 00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 
75 70 2e 2e 2e 00 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000572; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 
74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 21 00 00 
00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000573; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 
20 74 6f 74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 
21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000574; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 
00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 20 72 65 
61 64 6d 65 00 00|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000575; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 
5d 20 3e 00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 
20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000576; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 
78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 2b 76 20 
24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000577; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 
2b 76 24 78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 
2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000578; rev:1;)

# --------------------
# Title: Win.Ransomware.GoldenAxe
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Ransomware_GoldenAxe
# ClamAV:
#   - MALWARE_Win.Ransomware.GoldenAxe
# Hashes:
#   - c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2 (upx-packed)
#   - 46ea76c6512812d222a7e5c60419358e59bd92fd57f6222dd07ad857d9f1c679 (upx-unpacked)
#   - e9f65336508538d3556346e481c8c05ad11ec4eb4e80418fdd9e726db1433639 (upx-packed)
#   - 09cc6841fdfdade881931f0e4a45a127d344eff85b113922e614350f9a3136d5 (upx-unpacked)
# Notes:
#   - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     generates postiive hits against the unpacked binaries.
#   - Potential (older) candidates:
#     - 3fa4b6d0419d69d0c35532f40b358c3af7315397e8952851442af523d69d49ec
#     - 6c3ac5aa7b80167d42f4c779670df9a538704243a6ce605372ae757793a1e996
#     - 7c9bc791c097ab708fd13738b2acd57620a73c8a2f905c5f14a412044b3b6d09

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise 
outbound connection - Encryption Start"; flow:to_server,established; urilen:1; content:"Referer: Encryption Start - "; 
fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000579; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise 
outbound connection - Encryption Finish"; flow:to_server,established; urilen:1; content:"Referer: Encryption Finish|0D 
0A|"; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000580; rev:1;)

# --------------------
# Title: Win.Trojan.Emotet
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes:
#   - 6161a873da7602ac56bb8a8c2c897c4e7858c002e53166f84796d38359407654
#   - e700bf3681af434cb7cf77fbd0b6876ebd92d7882e36d85c5af5ba1ba6df72b5

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet outbound connection attempt"; 
flow:to_server,established; content:"/ HTTP/1.1|0D 0A|Referer:"; content:"Content-Type: 
application/x-www-form-urlencoded|0D 0A|DNT: 1|0D 0A|User-Agent: Mozilla/"; http_header; content:"Connection: 
Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:"POST"; 
http_method; pcre:"/[A-Z0-9a-z]=.+%2(F|B)/P"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000581; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: