Snort mailing list archives
Zebrocy family sigs
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 27 Apr 2018 14:03:31 +0000
Hi, The below rules are based on the information provided by the reference. The traffic from the hashes listed below was tested against the rules. Pcap are available. # Title: Sednit update: Analysis of Zebrocy # Reference: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ # Tests: pcap # Hashes: 54b14fc84f152b43c63babc46f2597b053e94627 (Delf Downloader), d379b94a3eb4fd9c9a973f64d436d7fc2e9d6762 (AutoIt Downloader), 4ccbe222bd97dc229b36efaf52520939da9d51c8 (Delf Backdoor), cdf9c24b86bc9a872035dcf3f53f380c904ed98b (Delf Backdoor) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?fort="; fast_pattern:only; http_uri; content:"pol="; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; pcre:"/\.(php|dat)\x3ffort\x3d[A-Z0-9]{8,16}/U"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000022; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/protocol.php"; fast_pattern:only; http_uri; content:"porg="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000023; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family AutoIt downloader outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"dbgate="; fast_pattern:only; http_client_body; content:"win32="; http_client_body; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000024; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family Delphi backdoor outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition: form-data|3B| name=|22|userfile|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000025; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy family bad known user-agent"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla v"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a\x20Mozilla\x20v[0-9]/Hi"; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/; classtype:trojan-activity; sid:8000026; rev:1;) Thanks YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Zebrocy family sigs Y M via Snort-sigs (Apr 27)
- Re: Zebrocy family sigs Phillip Lee (Apr 27)