Re: Multiple signatures 022

[Matthew Mickel <mmickel () sourcefire com>]

Hi, Yaser-

Thanks for your submission.  We will test these and get back to you when we’re finished.  Any PCAPs you can provide are 
greatly appreciated.  Best,

Matt Mickel

> On Jan 22, 2019, at 8:35 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Hi,
>
> Hope everybody is have a good week. PCAPs and ClamAV/Yara for all cases below are available. The only exception is 
> the android sigs at the end where only the PCAPs are available.
>
> Thank you for reading!
> YM
>
> # --------------------
> # Date: 2019-01-17
> # Title: Win.Trojan.Nymaim/GozNym
> # Reference: Research
> # Tests: pcaps
> # Yara: MEM_MALWARE_Win_Trojan_GozNym_CONF
> # ClamAV: MEM_MALWARE_Win.Trojan.GozNym-CONF
> # Hashes:
> #   - 5325a313e9462baba123761b402f2cf4cc130dc05257b34293c88bc7080a8e0d > Dropper
> #   - c85c2fd0fe29dd12d532ffbe1805b3b51d665c9cdd2892d328751dfdadef1484 > Persisted
> # Notes:
> #   - Domains: antiquith[.]pw, antiquith[.]pw, charolined[.]pw, controved[.]pw
> #              councial[.]pw, dluow[.]pw, econofsky[.]pw, esehsilpxe[.]pw
> #              evoluntal[.]pw, freshwallet[.]at, ipswine[.]pw, listmyfloor[.]com
> #              outsidered[.]pw, resuminia[.]pw, ruolf[.]host, tfulf[.]host
> #   - 91 new documents since the earlier GozNym post. All with password 1234.
> #   - GozNym Yara/ClamAV signatures posted earlier are applicable.
> #   - SSL (domain list) URI is in the format: /in.php?%c=%u&%c=%0.8X%0.8X%0.2X&%c=%u&%c=%u
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GozNym variant post-config 
> websocket outbound connection"; flow:to_server,established; content:"/data2.php"; fast_pattern:only; 
> content:"Upgrade: websocket|0D 0A|"; http_header; content:"Connection: Upgrade"; http_header; content:!"User-Agent"; 
> http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000461; rev:1;)
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GozNym variant certificate exchange"; 
> flow:to_client,established; ssl_state:server_hello; content:"intimidate outpatient"; fast_pattern:only; 
> content:"ErvIn|27|s.space"; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000462; rev:2;)
>
> # --------------------
> # Date: 2019-01-19
> # Title: Documents with AMSI Bypass Attempts
> # Reference: Research
> # Tests: pcaps 
> # Yara:
> #    - INDICATOR_RTF_Embedding_Excel
> #    - INDICATOR_Excel_Suspicious_Operations
> #    - TTP_AMSI_Bypass
> # ClamAV:
> #    - INDICATOR_RTF.Embedding.Excel
> #    - INDICATOR_Excel.Suspicious.Operations
> #    - TTP.AMSI.Bypass
> # Hashes:
> #   - 03ad57bfdcd8b4ec8725044c886cd357edd0bf9e1cce08cef44bac9f65e0c552
> #   - 2ad30086c24898e261465698cee9efa7c9357a7462c5a967ff62cb8abd6e97eb
> #   - 494737ffd5f65dc19ae2d1943ef961823e84187eb9200ff49a64e36096fba2d2
> #   - 4ce92588e9af60cf8979abd0031e4561d077e16ba07c65e6dff1e565fe9d3368
> #   - 6e6d1eecd7a0205cf4d8e2659212ad48e5fdf7f48e45a7790ea80c6080ef69a4
> #   - 6da86b5ba028ddfd9646da6467cdaca4d698b72b165045561bcf7a65449dba85
> # Notes:
> #   - PCRE from 8000465 can be expanded to include numbers or 
> #     can be removed althogether, though it helps keeping FPs, if any, down.
> #   - The AMSI bypass line is detected as "HackTool:PowerShell/PsAttack.A",
> #     not shown here because it might trigger AV.
> #   - SID 8000467 below may have FPs associated with it, ex: Symantec SPOC updates.
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel 
> Workbook"; flow:to_client,established; flowbits:isset,file.rtf; file_data; 
> content:"2008020000000000c000000000000046"; fast_pattern:only; metadata:ruleset community, service ftp-data, service 
> http, service imap, service pop3; classtype:attempted-user; sid:8000463; rev:2;)
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel 
> Workbook"; flow:to_client,established; flowbits:isset,file.rtf; file_data; 
> content:"446f63756d656e743d54686973576f726b626f6f6b2f264"; fast_pattern:only; metadata:ruleset community, service 
> ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:8000464; rev:2;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook"; 
> flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"2008020000000000c000000000000046"; 
> metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000465; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-OBFUSCATION RTF file with embedded Excel Workbook"; 
> flow:to_server,established; flowbits:isset,file.rtf; file_data; 
> content:"446f63756d656e743d54686973576f726b626f6f6b2f264"; metadata:ruleset community, service smtp; 
> classtype:attempted-user; sid:8000466; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound suspicious short 
> User-Agent"; flow:to_server,established; content:"User-Agent: "; http_header; content:"|0D 0A|"; within:7; 
> http_header; content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; 
> pcre:"/User-Agent: [A-Z]{4,5}\x0d\x0a/H"; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000467; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE known malicious User-Agent - 
> who-nop"; flow:to_server,established; content:"User-Agent: who-nop"; fast_pattern:only; http_header; 
> content:!"Accept"; http_header; content:!"Content"; http_header; content:!"Referer"; http_header; metadata:ruleset 
> community, service http; classtype:trojan-activity; sid:8000468; rev:1;)
>
> # --------------------
> # Date: 2019-01-20
> # Title: Another Win.Trojan.Pterodo Sample
> # Reference: Research
> # Tests: pcaps
> # Yara: See notes.
> # ClamAV: See notes
> # Hashes:
> #   - Dropper: acd1719eea0042e5ffc41a94bd8bd94b9702f686b0787decdfbec7156d8fddda
> # Notes:
> #   - The following singatures from a previous submission are still valid:
> #     - Yara: MALWARE_Win_Trojan_Pterodo_LNK
> #     - Yara: MALWARE_Win_Trojan_Pterodo_CMD_CNC
> #     - Yara: MALWARE_Win_Trojan_Pterodo_CMD_OPS
> #     - Yara: MALWARE_Win_Trojan_Pterodo_Dropper
> #     - Yara: MALWARE_Win_Trojan_Pterodo_CNC
> #     - ClamAV: MALWARE_Win.Trojan.Pterodo_Dropper
> #     - ClamAV: MALWARE_Win.Trojan.Pterodo_LNK
> #     - ClamAV: MALWARE_Win.Trojan.Pterodo_CMD_CNC
> #     - ClamAV: MALWARE_Win_Trojan.Pterodo_CNC
> #     - ClamAV: MALWARE_Win.Trojan.Pterodo_Dropper
> #     - Snort: 8000422
> #   - Slightly modified Yara rule MALWARE_Win_Trojan_Pterodo_Dropper
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE outbound wget request with form 
> data"; flow:to_server,established; content:"POST / HTTP/1.0"; fast_pattern:only; content:"User-Agent: Wget/"; 
> http_header; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, 
> service http; classtype:trojan-activity; sid:8000469; rev:1;)
>
> # --------------------
> # Date: 2019-01-15
> # Title: Win.Trojan.TeamBot
> # Reference: Research
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Win_Trojan_TeamBot_SARCH
> #   - MALWARE_Win_Trojan_TeamBot_DLL
> #   - MALWARE_Win_Trojan_TeamBot_DLNDR
> # ClamAV:
> #   - MALWARE_Win.Trojan.TeamBot-SARCH
> #   - MALWARE_Win.Trojan.TeamBot-DLL
> #   - MALWARE_Win.Trojan.TeamBot-DLNDR
> # Hashes:
> #   - Self-extracting Archives:
> #     - 3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8
> #     - 567b89b0f8e82e2553fb1820bef965ecc77676b4065d54988da6d7c80747f7a7
> #     - b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17
> #   - Themida-packed DLLs:
> #     - a157856210137d7543861c574189e237c1d0ba41d2fb08c982a7db94e684a170
> #     - 28764e617667c9704246c56b613d1b75e489346cbb5df9a14e1ce2d996f5c167
> #     - 5c89b1fee36d941889eb33e777acb4462bd4a7e8ac7da7743a1b0e743b942f50
> #   - Downloader:
> #     - 46c8e192bb6e37452c1b8029987a7c05f64b7766ff692731b050c402d91baa93
> # Notes:
> #   - This one drops TeamViewer and then reports TeamViewer's ID and Password
> #     to the C&C.
> #   - The flowbits check won't work; becuase it is a different session?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWAR-CNC Win.Trojan.TeamBot downloader outbound 
> connection attempt"; flow:to_server,established; content:"/get.php?pid="; fast_pattern:only; http_uri; 
> content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; 
> content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000470; 
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound connection 
> request"; flow:to_server,established; content:"/?gate&hwid="; fast_pattern:only; http_uri; content:"&id="; http_uri; 
> content:"&pwd="; http_uri; content:"&info="; http_uri; content:!"User-Agent"; http_header; flowbits:set,mal.teambot; 
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000471; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TeamBot inbound connection 
> response"; flow:to_client,established; file_data; content:"<RESULT>true</RESULT>"; fast_pattern:only; 
> metadata:ruleset community, service http; classtype:trojan-activity; sid:8000472; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"INDICATOR-COMPROMISE TeamViewer connection detected after TeamBot 
> infection"; flow:to_server,established; dsize:9; content:"|17 24 10 04 00 00 00 00 00|"; metadata:ruleset community; 
> classtype:trojan-activity; sid:8000473; rev:1;)
>
> #alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"INDICATOR-COMPROMISE TeamViewer connection detected after 
> TeamBot infection"; flow:to_server,established; flowbits:isset,mal.teambot; dsize:9; content:"|17 24 10 04 00 00 00 
> 00 00|"; metadata:ruleset community; classtype:trojan-activity; sid:8000471; rev:1;)
>
> # --------------------
> # Date: 2019-01-20
> # Title: Recent DarkHydrus stuff
> # Reference:
> #   - https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/ 
> <https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/>
> #   - 
> https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/ 
> <https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/>
> # Tests: pcaps
> # Yara:
> #   - MALWARE_Doc_MIRTE_T1117
> #   - MALWARE_OOXML_Malicious_Doc_DH
> #   - MALWARE_Doc_Exec_Bypass_DH
> #   - MALWARE_Win_Trojan_RogueRobin
> # ClamAV:
> #   - MALWARE_OOXML_XL_MITRE_T1117-1
> #   - MALWARE_OOXML_XL_Exec-Bypass-DH
> #   - MALWARE_Win_Trojan_RogueRobin
> # Hashes:
> #   - Docs:
> #     - 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
> #     - 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
> #     - e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
> #   - Binaries:
> #     - 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c
> #     - eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
> # Notes:
> #   - Snort signatures are, well, they need more testing/scrutiny
> #   - Performance Profiling results didn't seem encouraging for the signatures.
> #   - The indicator rules are created for the "exotic" RR types only.
>
> alert tcp any any -> any any (msg:"MALWARE-CNC DarkHydrus variant malicious document download attempt"; 
> flow:to_server,established; file_data; content:"|ac 92 4d 4f c3 30 0c 86 ef 48 fc 87 c8 f7 d5 dd 90 10 42 4b 77 41 
> 48|"; content:"|55 53 68 39 69 b0 62 9e 72 3a 22 79 5f 64 6c c0 f3 44 9b bf 13 fd 7c 2d 4e 9c c8 52 22 34 12 f8 32 cf 
> 47 c7 25 a0|"; within:200; content:"|4e c3 30 0c 86 ef 48 bc 43 e4 3b 4d 3b 10 42 68|"; within:400; content:"|22 54 
> 54 4d 35 6c 46|"; within:315; metadata:ruleset community, service smtp; classtype:attempted-user; sid:8000474; rev:1;)
>
> alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of TXT RR type"; flow:to_client; dsize:>100; 
> content:"|81 83|"; offset:2; depth:2; content:"|00 00 10 00 01 00 00 06 00 01|"; within:255; detection_filter:track 
> by_src, count 2, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000475; rev:1;)
>
> alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of SOA RR type"; flow:to_client; dsize:>100; 
> content:"|81 83|"; offset:2; depth:2; content:"|00 00 06 00 01 00 00 06 00 01|"; within:255; detection_filter:track 
> by_src, count 2, seconds 60; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000476; rev:1;)
>
> alert udp any 53 -> $HOME_NET any (msg:"INDICATOR-COMPROMISE NXDOMAIN of AAAA RR type"; flow:to_client; content:"|84 
> 03|"; offset:2; depth:2; content:"|00 00 1C 00 01|"; within:255; detection_filter:track by_src, count 5, seconds 60; 
> metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000477; rev:1;)
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .agency TLD"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|agency|00 00|"; fast_pattern; 
> pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+agency/"; metadata:ruleset community, service dns; classtype:trojan-activity; 
> sid:8000478; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .life TLD"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|life|00 00|"; fast_pattern; 
> pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+life/"; metadata:ruleset community, service dns; classtype:trojan-activity; 
> sid:8000479; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .live TLD"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|live|00 00|"; fast_pattern; 
> pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+live/"; metadata:ruleset community, service dns; classtype:trojan-activity; 
> sid:8000480; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .world TLD"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|world|00 00|"; fast_pattern; 
> pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+world/"; metadata:ruleset community, service dns; classtype:trojan-activity; 
> sid:8000481; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .today TLD"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|today|00 00|"; fast_pattern; 
> pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+today/"; metadata:ruleset community, service dns; classtype:trojan-activity; 
> sid:8000482; rev:1;)
>
> alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.RogueRobin outbound DNS query - .servies TLD"; 
> flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|00 00|"; fast_pattern; 
> pcre:"/[\x05-\x06]a[hijklmnopq]{3,4}c.+services/"; metadata:ruleset community, service dns; 
> classtype:trojan-activity; sid:8000483; rev:1;)
>
> # --------------------
> # Date: 2019-01-21
> # Title: Andr.Trojan.Xinyinhe
> # Reference: Research
> # Tests: pcaps
> # Yara: NA
> # ClamAV: NA
> # Hashes: 5b5043b13da32c048f7ccb19a3b200c7145d020449d8ed7d7cf3ae7ecaef6863
> # Notes:
> #   - Download URL: hxxp://cdn[.]tiedd[.]info/uploadonly/201811/107/5c6532745b100a173742fe85c7f33678.apk 
> <hxxp://cdn[.]tiedd[.]info/uploadonly/201811/107/5c6532745b100a173742fe85c7f33678.apk>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Xinyinhe outbound connection 
> attmept"; flow:to_server,established; content:"/config?pubid="; fast_pattern:only; http_uri; content:"&new_user="; 
> http_uri; content:"&pkg_name="; http_uri; content:"&first_time="; http_uri; metadata:ruleset community, service http; 
> classtype:trojan-activity; sid:8000475; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Xinyinhe outbound connection 
> attmept"; flow:to_server,established; content:"/config?pubid="; fast_pattern:only; http_uri; content:"&moduleid="; 
> http_uri; content:"&pkname="; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; 
> sid:8000476; rev:1;)
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
> catch the most <a href=" https://snort.org/downloads/#rule-downloads 
> <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!