Snort mailing list archives

Multiple signatures 026

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 25 Mar 2019 16:51:48 +0000

Hello,

PCAPs and Yara/ClamAV signatures are available for the below cases. The last case has PCAPs only.

Thank you
YM

# --------------------
# Title: Interesting builders/packers/obfuscators recently observed
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - INDICATOR_DotNet_Excutable_Packed_LibZ
#   - INDICATOR_Excutable_Packed_aPLib
#   - INDICATOR_DotNet_Executable_Packed_SmartAssembly
#   - INDICATOR_Excutable_Packed_ConfuserEx
# ClamAV:
#   - INDICATOR_DotNet_Excutable_Packed_LibZ
#   - INDICATOR_Excutable_Packed_aPLib
#   - CL_TYPE_APLIB (.ftm)
#   - INDICATOR_DotNet_Executable_Packed_SmartAssembly
#   - INDICATOR_Excutable_Packed_ConfuserEx
# Hashes:
#   - b992af642830ad5c2aa1ae75f556a3d238734c38ef0d6c3cfc2b889f91c39f0c (LibZ)
#   - cacc1c3af8ad58b992c707bdf36ec1bd5f039dd80780ad2978cb142ccfe714d6 (aPLib)
#   - 3149e5bba6530fa8acbf36367fd05f0eb2ee98352c2ed59aef316c28f0663d76 (ConfuserEx)
#   - 039aa11d64377ad3719a3d637a8930b58140f60fa3c3025bf362d5f1186dc388 (SmartAssembly)
#   - 0432d8f8f5493463e21e63bec2775b0768883427a3c304ed5c654295fe194f54 (SmartAssembly)
#   - 059caf37845d86effe76c9884cc1ac328fb3e9e173ea7a591e39471643e46cfc (SmartAssembly)
#   - 11e1997516981fa26de559e67dc30113388e01e6782349ebf450d1d1a12d02ec (SmartAssembly)
#   - 3f924b7f7e4d5a880d22a7045e086164eafc1c22075e805bf16769a41d085bc6 (SmartAssembly)
#   - 40390351d2356586a46c5224e0ec8e27bd6e143ade9a33fe65e14035f237f9a3 (SmartAssembly)
#   - 447f6d1dc4404e993f92d1abd074be35933bf2fdafce8c13d3c75183fe82d609 (SmartAssembly)
#   - 58ee50cdefcc187ce88afc7ecbe852946bcac4da013cb9f70bc86428bc1c38f4 (SmartAssembly)
#   - 70030f1def1ff72fdcd64e31df5bb2f9edc53aa29552b7fe252aee6d8fb471f1 (SmartAssembly)
#   - 738fe3c58d18e7cbff96ffb0752c9e48452693149630f397d3dde2f7a9e2ebae (SmartAssembly)
#   - 79849bd2c0f7983623ed2da2a94a9cc57de192f823899d542887b7e87710ae1b (SmartAssembly)
#   - 9a532e661cb26bb378398054833bb3f651b70116fb09c1a33ab37f3a4015c08c (SmartAssembly)
#   - 9cf0d90dc29120c48b75eddd14456cb14d4909e8c1fff4abb3d16faac3db391a (SmartAssembly)
#   - 9f7dca729655b97e79eff175797424b135790cf6e550b193285d04cb793e397a (SmartAssembly)
#   - b0f39235a850657fbfbc528c5387943e8f4edd7867cfe0447610d71436b14157 (SmartAssembly)
#   - b28f51704e94543040344a257555e8c0c3f175dcaff6a09bdd581503dfefd84e (SmartAssembly)
#   - b6e788666a29a323c394c1f34fa2c9965dcdd061d7a14a90152e0e4fa7740272 (SmartAssembly)
#   - b94eba88f222d0114ea940613ef7459a7d7f2ab9410abb9c1bfb2b59e063b92d (SmartAssembly)
#   - ba147bb736208f03e1272cd956078cc8d799dc5e0a087f1ead61c8ef20f8a1c4 (SmartAssembly)
#   - bac7beac51934f584804cc38ab154d68e6085716704714051e5b1c433e1a87f6 (SmartAssembly)
#   - becae163b3aebb08e6d0791f2a61cbe3237396de09227ce23ef4ac5be0699c38 (SmartAssembly)
#   - d716c64eba90657a20742dd63adbef2ce23ba76ef743aec038665266f62072f0 (SmartAssembly)
#   - e98f4dbfc2c5bfe7d4f8f4a21bcab3a4f8b0a577c1f25b417371b9047eba6e66 (SmartAssembly)
#   - f0170c0df25cbcb224d2237836d94d5dcc23a628fdd13300fdf085dd0a1bcbeb (SmartAssembly)
#   - fdc4ff89d5c5da312194bddb810e1577942ca3469c4a6b9e4c24197e7af55832 (SmartAssembly)
#   - ffba654b4866244700bb17993eee63f3a9439ffd40e6ac7ae77cc1ccd685c284 (SmartAssembly)
#   - ffc18bfc45608505c5a3a9777f675e52818d794286953ceb3cdace93179ca7d8 (SmartAssembly)
# Notes:
#   - LibZ is an alternative to ILMerge. This was observed merging
#     Win.Trojan.NanoCore and Win.Trojan.Pony into a single binary.
#   - ConfuserEx was observed packing a NanoCore sample.
#   - SmartAssemly is observed with many HawkEye, NanoCore, Azorult.
#     It's signature below is probably the weakest of them all as there
#     maybe recent variations to it.
#   - aPLib was observed with Win.Trojan.Ursnif.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable built with LibZ detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; fast_pattern:only; 
content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service smtp; classtype:trojan-activity; 
sid:8000563; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY DotNet executable built with LibZ 
detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|LibZInitializer"; 
fast_pattern:only; content:"|00|LibZ.Injected|00|"; distance:0; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000564; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY DotNet executable packed with aPLib detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; 
content:"M8Z"; within:35; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000565; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with aPLib detected"; 
flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; 
content:"M8Z"; within:35; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000566; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY file packed with aPLib detected"; 
flow:to_client,established; file_data; content:"|41 50 33 32 18 00 00 00|"; fast_pattern:only; content:"M8Z"; 
distance:16; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000567; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with ConfuserEx detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; 
fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service smtp; classtype:trojan-activity; 
sid:8000568; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY executable packed with ConfuserEx 
detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00|ConfusedByAttribute|00|"; 
fast_pattern:only; content:"ConfuserEx v"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000569; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY executable packed with SmartAssembly detected"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"QSystem.Drawing, Version=4.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"; content:"|00 00 00 0F 03 00 00 00|"; content:"|49 44 41 54 48 4b 
ed|"; within:215; detection_filter:track by_dst, count 25, seconds 10; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000570; rev:1;)

# --------------------
# Title: Win.Ransomware.Lockergoga
# Reference: Research
# Tests: pcaps (file2pcap)
# Yara:
#   - MALWARE_Win_Ransomware_Lockergoga
# ClamAV:
#   - MALWARE_Win.Ransomware.Lockergoga
# Hashes:
#   - 14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca
#   - 47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4
#   - 5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c
#   - 6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77
#   - 7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125
#   - 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
#   - 88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f
#   - 8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29
#   - ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f
#   - bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
#   - c3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a
#   - c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4
#   - c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15
#   - eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
#   - f3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192
# Notes:
#   - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     hits on newer samples 65d5dd067e and c97d9bbc80.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 2e 2e 2e 
00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 75 70 2e 
2e 2e 00 00 00|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000571; 
rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6e 6e 69 6e 67 
2e 2e 2e 00 20 3a 20 00 73 63 61 6e 20 66 69 6e 69 73 65 64 00 00 00 00 63 3a 2f 2e 6c 6f 67 00 77 61 72 6d 69 6e 67 20 
75 70 2e 2e 2e 00 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000572; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 20 74 6f 
74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 21 00 00 
00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000573; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 63 61 6e 6e 69 6e 67 3a 20 00 00 
20 74 6f 74 61 6c 3a 20|"; content:"|65 6e 63 72 79 70 74 69 6e 67 3a 20 00 00 00 00 65 6e 63 72 79 70 74 69 6e 67 3a 
21 00 00 00 00 77 72 69 74 69 6e 67 20 72 65 61 64 6d 65 00 00 52 45 41 44|"; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000574; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 5d 20 3e 
00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 20 72 65 
61 64 6d 65 00 00|"; metadata:ruleset community, service smtp; classtype:trojan-activity; sid:8000575; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|73 6b 69 70 70 69 6e 67 3a 20 00 00 
5d 20 3e 00 65 6e 63 72 79 70 74 69 6e 67 3a|"; content:"|73 63 61 6e 6e 69 6e 67 3a|"; content:"|77 72 69 74 69 6e 67 
20 72 65 61 64 6d 65 00 00|"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000576; rev:1;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; 
flow:to_server,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 2b 76 24 
78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 2b 76 20 
24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service smtp; 
classtype:trojan-activity; sid:8000577; rev:1;)

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download 
attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"-+XxPp"; content:"|00 00 2b 76 24 78 
2b 76 24 78 76 24 2b 78 76 2b 24 78 76 24 2b 78 2b 24 76 78 2b 24 76 78 24 76 2b 78 2b 24 76 78 24 2b 76 78 2b 76 20 24 
2b 76 20 24 76 20 24 2b 76 20 2b 24 76 20 24 2b 2b|"; within:100; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000578; rev:1;)

# --------------------
# Title: Win.Ransomware.GoldenAxe
# Reference: Research
# Tests: pcaps
# Yara:
#   - MALWARE_Win_Ransomware_GoldenAxe
# ClamAV:
#   - MALWARE_Win.Ransomware.GoldenAxe
# Hashes:
#   - c40ba66fd4c3061429b092d378da5f6a648edc38e8be83992fdb77fb6200dbe2 (upx-packed)
#   - 46ea76c6512812d222a7e5c60419358e59bd92fd57f6222dd07ad857d9f1c679 (upx-unpacked)
#   - e9f65336508538d3556346e481c8c05ad11ec4eb4e80418fdd9e726db1433639 (upx-packed)
#   - 09cc6841fdfdade881931f0e4a45a127d344eff85b113922e614350f9a3136d5 (upx-unpacked)
# Notes:
#   - Existing Yara rule INDICATOR_Binary_References_Many_Builtin_Windows_Executables
#     generates postiive hits against the unpacked binaries.
#   - Potential (older) candidates:
#     - 3fa4b6d0419d69d0c35532f40b358c3af7315397e8952851442af523d69d49ec
#     - 6c3ac5aa7b80167d42f4c779670df9a538704243a6ce605372ae757793a1e996
#     - 7c9bc791c097ab708fd13738b2acd57620a73c8a2f905c5f14a412044b3b6d09

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise 
outbound connection - Encryption Start"; flow:to_server,established; urilen:1; content:"Referer: Encryption Start - "; 
fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000579; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GoldenAxe post compromise 
outbound connection - Encryption Finish"; flow:to_server,established; urilen:1; content:"Referer: Encryption Finish|0D 
0A|"; fast_pattern:only; http_header; content:!"Connection"; http_header; content:!"Content-Type"; http_header; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000580; rev:1;)

# --------------------
# Title: Win.Trojan.Emotet
# Reference: Research
# Tests: pcaps
# Yara: NA
# ClamAV: NA
# Hashes:
#   - 6161a873da7602ac56bb8a8c2c897c4e7858c002e53166f84796d38359407654
#   - e700bf3681af434cb7cf77fbd0b6876ebd92d7882e36d85c5af5ba1ba6df72b5

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emotet outbound connection attempt"; 
flow:to_server,established; content:"/ HTTP/1.1|0D 0A|Referer:"; content:"Content-Type: 
application/x-www-form-urlencoded|0D 0A|DNT: 1|0D 0A|User-Agent: Mozilla/"; http_header; content:"Connection: 
Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:"POST"; 
http_method; pcre:"/[A-Z0-9a-z]=.+%2(F|B)/P"; metadata:ruleset community, service http; classtype:trojan-activity; 
sid:8000581; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 026 Y M via Snort-sigs (Mar 25)
- Re: Multiple signatures 026 Matthew Mickel (Mar 27)
  - Re: Multiple signatures 026 craig saager via Snort-sigs (Mar 28)
    - Re: Multiple signatures 026 Joel Esler (jesler) via Snort-sigs (Mar 28)
    - Re: Multiple signatures 026 wkitty42--- via Snort-sigs (Mar 29)