Re: Multiple signatures 018

[Marcos Rodriguez <mrodriguez () sourcefire com>]

On Thu, Nov 15, 2018 at 9:13 AM Y M via Snort-sigs
<snort-sigs () lists snort org> wrote:
> Hi,
>
> Pcaps and Yara/ClamAV signatures are available for the majority of the below cases.
>
> Thank you.
> YM
>
> # --------------------
> # Date: 2018-11-07
> # Title: Inside VSSDestroy Ransomware
> # Reference: Triage from: 
> https://threatvector.cylance.com/en_us/home/threat-spotlight-inside-vssdestroy-ransomware.html
> # Tests: pcap
> # Yara:
> #   - MALWARE_Win_Ransomware_VSSDestroy_VAR
> # ClamAV:
> #   - MALWARE_Win.Ransomware.VSSDestroy-VAR
> # Hashes:
> #   - 193697be39290126d24363482627ff49ad7ff76ad12bbac43f53c0a3a614db5d
> #   - 242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
> #   - 91d07adbf35edb6bb96e7b210f17b9b868ed858802727d6f69c1e5a2d37a9c53
> #   - d0c7b512610a1a206dbf4b4d8c352a26a26978abe8b5d0d3255f0b02196482a1
> # Notes:
> #   - The IP check is observed with and without a User-Agent and the domain may change..
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.VSSDestroy variant 
> post-infection outbound connection"; flow:to_server,established; content:"/addrecord.php?"; fast_pattern:only; 
> http_uri; content:"apikey="; http_uri; content:"&compuser="; http_uri; content:"&sid="; http_uri; content:"&phase="; 
> http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000401; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE User-Agent associated with external 
> IP address check detected"; flow:to_server,established; content:"User-Agent: IP retriever"; nocase; 
> fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000402; 
> rev:1;)
>
> # --------------------
> # Date: 2018-11-08
> # Title: DarkPulsar
> # Reference: https://securelist.com/darkpulsar/88199/
> # Tests: syntax only
> # Yara: NA
> # ClamAV: NA
> # Hashes: 96f10cfa6ba24c9ecd08aa6d37993fe4 (lab generated?)
>
> alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant successful connection"; 
> flow:to_server,established; flowbits:isset,smb.trans2.mid65|smb.trans2.mid66; content:"|FF|SMB|73 00 00 00 00|"; 
> depth:9; offset:4; content:"|40 00|"; within:2; distance:21; content:"|04 D6 47 33 4B AB 5E 08 4A 7D 1D 3B 72 8C 7D 
> 91 00|"; within:17; distance:27; flowbits:set,smb.trans2.mid66; metadata:ruleset community, service netbios-ssn; 
> classtype:trojan-activity; sid:8000403; rev:1;)
>
> # --------------------
> # Date: 2018-11-09
> # Title: Malware Targeting Brazil Uses Legitimate Windows Components WMI and CertUtil as Part of its Routine
> # Reference: Triage from:
> #   - 
> https://blog.trendmicro.com/trendlabs-security-intelligence/malware-targeting-brazil-uses-legitimate-windows-components-wmi-and-certutil-as-part-of-its-routine/
> #   - http://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
> # Tests: pcap
> # Yara:
> #   - MALWARE_Win_LNK_Downloader_VAR1
> #   - MALWARE_Win_Trojan_Guildma_DLL_Main
> #   - MALWARE_Win_Trojan_Guildma_DLL_Module_1
> #   - MALWARE_Win_Trojan_Guildma_DLL_Module_2
> #   - MALWARE_Win_Trojan_Guildma_DLL_Module_3
> # ClamAV:
> #   - MALWARE_Win.LNK.Downloader-VAR1-RAW
> #   - MALWARE_Win.LNK.Downloader-VAR1-CON
> #   - MALWARE_Win.Trojan.Guildma_DLL_Main
> #   - MALWARE_Win.Trojan.Guildma_DLL_Module_1
> #   - MALWARE_Win.Trojan.Guildma_DLL_Module_2
> #   - MALWARE_Win.Trojan.Guildma_DLL_Module_3
> # Hashes:
> #   - LNKs:
> #     - 1a1cbfe0e0d004f00a9829dfe0eae0d6d171154f53a93f2e8ee66757c207f6aa
> #     - 2ae32ad396f48165e8eb9fdaf8138ce078a3f1dfd6220352e5bf0f50bdf47d61
> #     - 2f170ee85862fbcf2fccf8099e254d9a07ad78ffc54ac76150911108a971aad6
> #     - 32063e61a7a9011dc74fe59df7469ee09b6b56539728d23ab9cab2afa5ce949e
> #     - 4a5f133f5f8671fdd54da4e46c983054c7d5eee82ffdca80b6946f855c034394
> #     - 4c93229e1a429bd4a69596a4687dd7b51d7de4a3b9c74d70a396de90f25fd929
> #     - 5caa69f928c159c1869d2819691d12a066920518927ac24d1a9434cceb95fbe8
> #     - 63276c25d37bf7f7e3a19a921a6f250c35fa3907910e57f4bbb69f27750286db
> #     - 695e03c97eaed0303c9527e579e69b1ba280c448476edcf97d7a289b439fa39a
> #     - 795524849b20948a339c8daaa68c0c261d0c13a42cc3d485b50d9f08cad39b4b
> #     - 959ca35720eccc22fa3789c2f2883a1038f2f7e3a0ba39ef56583390be93e731
> #     - 990e8ead229c89fd28502381ee735abf4cd4d694822db3490674497004940097
> #     - b4e830993ef79ffc641a2ac9612f74d030fd13aedf0dfbe233bb9ed79800cfed
> #     - d69e5621277e2523f110b3237ecfd103525d80df74233ac56505e73d3ca50e06
> #     - de03a803cf3f754e44062b6b023fc4bf5af4c7483f874bc3599b658ad9891fc0
> #   - Guildma DLLs (unpacked):
> #     - 18aaca5812401af6c2236053f60064b7ad5a050433a9d912fe70d409526f01c7
> #     - 1dbcc0a79876552a85eee727168236fc87fc4120d622871f1b1f0c563d1164d2
> #     - 31c90b6838ba4e1f7649abaf233f0de33a39056dc157971d4d932c579eeb12ee
> #     - 370faf00c5c85962a586064ec428780f0534310630eed5a801bd21e1709319bd
> #     - 43aed13087af5d719fe6f49964006c0f4ccb5fc7e4ca2500ee770027690e82ca
> #     - 612f3800e67eb442a6d8d2665a0a1097cd36e1e6d6ddb817eb001be13b4fb3f7
> #     - 644d2baa94dc8272a1ffe464ed03e38d882856363ce0560180e831b2e0b38c5b
> #     - 69ec793c08669b86935f9aaa38a038f92c41f429a2d2a3592556b0a70d54cf78
> #     - 6ff74a393fa29beced417c47709b61b96cca4fcac2ac25166665dd76a0682067
> #     - 7798f7f0fd5ff2f646653ed02580b771c99fee5b847303063e15e7ad0d4b37b0
> #     - 888bd1fda851543408aba27c8c481c697bcbbf5701c8963f7b2e3931d8f1dfda
> #     - 8d1f5282948204325d51bb42d3b48c6d1b4266c2b36814bc800b755e95133246
> #     - 96c48e25630607c6b15c057d43e543db85a6cdfff8956a2cc803867e5e0105ee
> #     - b346cc298f92f33a3cd37ca2069f89e5216496e06479b0a2044e9ca6bc686993
> #     - b951bb402207e0aaba9da0159801632b1e94a316d1f773a39add75ea802546b5
> #     - f19b24abde1a29572d57efbee8ebc0f36c0d87d40d7b0615c0c512081eaa7a6f
> #     - f89f02d38dc1ab0a8459e7a9d7d9776fd0f80a774988681bb369937d1bb06baa
> # Notes:
> #   - Added 25029, 25056, 25089, etc to stream5 and http_inspect
> #   - The "/v131" seems consistent but may change, ex.: the preceeding
> #     "/03/" to "/09".
> #   - Additional module(s) may exist, but were not sig'ed.
> #   - Banking trojan targeting Brazil, uses LNKs and DLLs, uses image file
> #     extensions for downloads, similarities to Metamorfo campaign?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.LNK.Downloader variant initial outbound 
> connection"; flow:to_server,established; urilen:<25; content:"/v"; http_uri; content:".xsl?"; distance:3; http_uri; 
> content:".xsl"; within:15; http_uri; content:!"Content"; http_header; content:!"Referer"; http_header; 
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000404; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound 
> connection"; flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: Microsoft 
> BITS/";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; 
> pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000405; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound 
> connection"; flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: CertUtil URL 
> Agent";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; http_header; 
> pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000406; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Guildma plugin request outbound 
> connection"; flow:to_server,established; urilen:<40; content:".zip?"; http_uri; content:"User-Agent: 
> Microsoft-CryptoAPI/";http_header; fast_pattern:only; content:!"Content"; http_header; content:!"Referer"; 
> http_header; pcre:"/\.(jpg|gif|dll)\.zip\x3f[0-9]{9}/U"; metadata:ruleset community, service http; 
> classtype:trojan-activity; sid:8000407; rev:1;)
>
> alert tcp any any -> any 25 (msg:"MALWARE-OTHER Win.LNK.Downloader variant file via SMTP"; 
> flow:to_server,established; flowbits:isset,file.lnk; file_data; content:"W|00|M|00|I|00|C|00|.|00|e|00|x|00|e"; 
> nocase; fast_pattern:only; content:"g|00|e|00|t|00 20 00|/|00|f|00|o|00|r|00|m|00|a|00|t|00|:"; distance:0; 
> content:"|22 00|h|00|t|00|t|00|p"; distance:0; metadata:ruleset community, service smtp; classtype:attempted-user; 
> sid:8000408; rev:1;)
>
> # --------------------
> # Date: 2018-11-11
> # Title: Win.Trojan.Emotet variant
> # Reference: Research
> # Tests: pcap
> # Yara:
> #   - MALWARE_Pdf_Dropper_Emotet
> #   - MALWARE_Doc_Dropper_Emotet
> # ClamAV:
> #   - MALWARE_Pdf.Dropper.Emotet
> #   - MALWARE_Doc.Dropper.Emotet
> # Hashes:
> #   - PDFs:
> #     - 39e69a23fc772b1fd07dbb6a4832980f19b2f053f4b8586da1e258652b0ed24e
> #     - bc1bab82efb24da0bea2425eb5357dd81f93bfa3cfbb8898f2b5e978a09026ad
> #   - Docs:
> #     - 65e4c3c3407f22722aeb6b0e477027e01aa381d83209f713b48f8b4f738528f9
> #   - EXEs:
> #     - ebecb74b4fc9dd33d0fbea870741ea8e7d02f98de8ef5da3490716aa4976238b
> # Notes:
> #   - Flow: SMTP > Pdf with link > HTTP (link) > Doc with pwsh > HTTP (pwsh) > Exe > HTTP (exe) C&C.
> #   - Need more samples to confirm Yara/ClamAV detection/behavior.
> #   - C&C appear to be more consistent across samples than files.
> #   - Emotet C&C was published in last advisory, so removing from here.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Emotet IP address check attempt"; 
> flow:to_server,established; urilen:11; content:"/whoami.php"; fast_pattern:only; http_uri; content:" MSIE "; 
> http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Content"; http_header; 
> content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Connection"; http_header; metadata:ruleset 
> community, service http; classtype:trojan-activity; sid:8000410; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet payload request outbound 
> connection"; flow:to_server,established; urilen:<15; content:"/wp-content/"; http_uri; content:!"User-Agent"; 
> http_header; content:!"Content"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; 
> content:!"Connection"; http_header; pcre:"/\/wp-content\/[A-Z]/U"; metadata:ruleset community, service http; 
> classtype:trojan-activity; sid:8000411; rev:1;)
>
> # --------------------
> # Date: 2018-11-11
> # Title: Malware “WellMess” Targeting Linux and Windows
> # Reference: Triage from: https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html
> # Tests: syntax only
> # Yara:
> #   - MALWARE_Win_Trojan_WellMess_DotNet
> #   - MALWARE_Win_Trojan_WellMess_GoLang
> #   - MALWARE_Elf_Trojan_WellMess_GoLang
> # ClamAV:
> #   - MALWARE_Win.Trojan.WellMess_DotNet
> #   - MALWARE_Win.Trojan.WellMess_GoLang
> #   - MALWARE_Elf.Trojan.WellMess_GoLang
> # Hashes:
> #   - 0b8e6a11adaa3df120ec15846bb966d674724b6b92eae34d63b665e0698e0193
> #   - bec1981e422c1e01c14511d384a33c9bcc66456c1274bbbac073da825a3f537d
> #   - 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41
> # Notes:
> #   - Additional samples were found, but not visible :(
> #   - This is probably the worst sig ever, just in case your eyes hurt.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.WellMess outbound connection attempt"; 
> flow:to_server,established; urilen:1; content:"POST"; http_method; content:"Cookie"; http_header; 
> content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Expect: 100-Continue"; http_header; 
> content:"Accept-Encoding: deflate|0D 0A|"; http_header; content:!"Referer"; http_header; content:!"="; within:20; 
> http_client_body; pcre:"/[A-Za-z0-9\.\x20\x2c\x2a].*/P"; metadata:ruleset community, service http; 
> classtype:trojan-activity; sid:8000413; rev:1;)
>
> # --------------------
> # Date: 2018-11-15
> # Title: Opendir, LegacyDrawing_AutoLoad: Win.Trojan.Stimilina / Win.Ransomware.Delf-6651871-0 / AZORult
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - FILE_OFFICE_OLE_Dropper_CVE_2017_11882
> #   - FILE_OFFICE_Doc_Dropper_LegacyDrawing_AutoLoad
> #   - MALWARE_Win_Trojan_Stimilina
> # ClamAV:
> #   - FILE_OFFICE_OLE.Dropper.CVE_2017_11882
> #   - FILE_OFFICE_Doc.Dropper.LegacyDrawing_AutoLoad
> # Hashes:
> #   - Dropper:
> #     - b9d8a288dd9fd62fb2354854a3cd80e55d988ea0ea434d4adc249bb5d59c71f3
> #   - Binaries:
> #     - 0cd169df12982d013f201966d57fa77c233cadbb68ead042aa6b27cfd4c058ef
> #     - 172fddc26079fc7f3c48bac462e9f9f2c8c208f2c98d9910499f3500cefaa17c
> #     - 1f04343aebbc630e8c0479f3035dc012d353c0bdd6c4d2356ea8948a3af735c1
> #     - 926b9fbe6a71ea6d79c0366de78d99ccb5ea818277285dcf21996a505e1476b1
> #     - a15333778d612df71e987dd385b9c5e32ef25bcc7dd4331672fb17e300c3acd0
> #     - bdbe4e3ff7a86e5ab002f8884a37f06ae45dc53f9b8a4e180f77ee32d9456058
> #     - c9dd349152aa035bf2dc9a66d3394ade75fcb0e5b2e33e9c55abbecf23818813
> #     - cd664442b99d6719fbfc5f481adc13424d6d6135b2b761e98f794b952621b344
> #     - d4eeb08cf122e14fab3396d9413e63d083dfc6eea8c9dd4a75e5b51b256dea3f
> #     - d4eeb08cf122e14fab3396d9413e63d083dfc6eea8c9dd4a75e5b51b256dea3f
> #     - dd2929b27483554b5005f677ae90126da7ecedce3166fe31b07ca7530a02bba1
> #     - e3c2b60bffed7c3b861641b59815ddd4e049f0958df61d59d76c93da6181dac1
> #     - eb2718ee5898279c17d0a663132ce06efb4fac275654b48d54ba9a30c851c59a
> # Notes:
> #   - Never seen the dropper technique before, though similar to Remote Template,
> #     combined with CVE-2017-11882.
> #   - Fetches configuration from C&C server in base64 format at the end.
> #   - All binaries uploaded to VT, HA, and AA. Opendir screenshot attached.
> #   - More eyes-hurting signatures :).
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stimilina variant outbound 
> connection"; flow:to_server,established; urilen:<30; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 
> 5.1)|0D 0A|"; http_header; content:"|2F|"; offset:1; depth:1; fast_pattern; http_client_body; content:"POST"; 
> http_method; content:!"Connection"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; 
> pcre:"/\x2f(\xfa|\xfb)*/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000414; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Stimilina variant config retrieval 
> inbound connection"; flow:to_client,established; file_data; content:"</n><d>"; content:"</d>"; distance:0; 
> pcre:"/<\/n><d>[A-Za-z0-9+=]+<\/d>/"; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000415; rev:1;)
>
> # --------------------
> # Date: 2018-11-15
> # Title: XpertRAT
> # Reference: Research
> # Tests: pcaps
> # Yara: NA
> # ClamAV: NA
> # Hashes:
> #   - Droppers:
> #     - 15c438d27607046e787136625f5d5192d647662a87fbdfb5ce88e912dff61c24
> #     - 364c0c208bec32f13613844c89668baeb79df2bb915c5cf562f132056436d1fe
> #     - 4e11624e421251b1f38daef7f7fdefb5c6b363b92d9a1015f8f655d7630208d5
> #     - 64eb94c2934492b893e0eb05388d1600908bd6d19f698549f27c6143b297baaf
> #     - 920f006948f2a029245bdcf0dc84b2d3153920202abfc0825c77d72e65ddb3ff
> #     - b4a1f7f7bc991d8e4077921875a901dd957bcef0e91034052f953d4c3a280d45
> #     - d6608695f412f7f0f938fbab2d84e1cad9df0278f2a8d1c02aafeb4ac737c9b4
> #   - Binaries:
> #     - 064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a
> #     - 1d3c280c402e62057131f64bedd12a4aa1f08bd5854e1e177f1581edc934c225
> #     - 2654d67e5286c2d1d9fc3c4c72788854ca1b01277e2c4bd598c96eb37b17c05f
> #     - 3126681755833f7236efbda8f3e949eeb38d0f6f06a3a44530d24d6d60c17205
> #     - 329f8804c800b723fad251a88556875f2f2a2624f55f5d6bc4c1b4c56ba67b53
> #     - 350aa4e3bab3e53f4a0160e770e2f4a733fcdfd80e4aec3da9e2753e8d59b659
> #     - 36eb43b50f6b9b7943d7fef904991d5df0859e5e0dd17620ede4c5bdcdaf3485
> #     - 4c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
> #     - 5cd67222bf8fa8ecfe8a71b0f43033e6c8c92b4fb460c38eb5000be8ef024e7b
> #     - 98a0e4de95408f8c394b56d480670a95961fba578209a3a3bb92f17fabb67e70
> #     - c63b13c9c9349180bcc667d5f1a1776b80aa1e0804aee3737ba0a89b964144df
> #     - ca0f1eeff7976e051f7a4a1bc7503a781ad7d9e73dabb7930a37677015c25649
> #     - d48413c73228d35c248909d7908dabfa3032c4eac259578191c8efe0b0f6bdda
> #     - f10ccf9d9c47973cee6566eea584202f61e1ab5e79f7a14853db24b37e2eeb49
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT inbound connection"; 
> flow:to_client,established; dsize:<12; content:"|7C 30 7C A1 40 23 40 21|"; offset:3; depth:8; fast_pattern; 
> isdataat:!1,relative; metadata:ruleset community; classtype:trojan-activity; sid:8000416; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT outbound connection"; 
> flow:to_server,established; dsize:10; content:"|7C|root|7C|"; offset:3; depth:6; fast_pattern; isdataat:!1,relative; 
> metadata:ruleset community; classtype:trojan-activity; sid:8000417; rev:1;)


Hi Yaser,

As always, thanks for these submissions.  We'll get these into our
testing process and get back to you as soon as possible.  We'd
appreciate any pcaps you'd be willing to share.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!