Snort mailing list archives
Re: Multiple signature 021
From: Matthew Mickel <mmickel () sourcefire com>
Date: Tue, 15 Jan 2019 13:36:46 -0500
Hi, Yaser- Thanks for your submissions. We will review the rules and get back to you when we have finished. Any PCAPs that you can send along are greatly appreciated. Best, Matt Mickel
On Jan 15, 2019, at 12:41 PM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hi, Here is a batch of signatures along which, PCAPs and Yara/ClamAV signatures are available. Also attaching two screenshots for Ditnui/Siggen2/Zenpak to go along with the notes section. Thank you. YM # -------------------- # Date: 2019-01-05 # Title: Tools Trade # Reference: Research # - hxxps://github[.]com/DarthTon/Blackbone <hxxps://github[.]com/DarthTon/Blackbone> # - hxxps://github[.]com/djhohnstein/SharpWeb <hxxps://github[.]com/djhohnstein/SharpWeb> # - hxxps://github[.]com/ptoomey3/Keychain-Dumper <hxxps://github[.]com/ptoomey3/Keychain-Dumper> # - www[.]rootkiter[.]com/earthworm # Tests: pcaps (f2p) # Yara: # - TOOL_PWS_SharpWeb # - TOOL_CNC_Earthworm # - TOOL_PWS_KeychainDumper # - TOOL_PWS_Blackbone # ClamAV: # - TOOL.PWS.SharpWeb # - TOOL.CNC.Earthworm # - TOOL.PWS.KeychainDumper # - TOOL.PWS.Blackbone # Hashes: NA # Notes: # - Maybe add SMB rules for host-to-host transfers # during lateral movement? alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Blackbone password memory dumper download attempt"; flow:to_client,established; file_data; content:"|5C 00|B|00|l|00|a|00|c|00|k|00|B|00|o|00|n|00|e|00|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000444; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Blackbone password memory dumper download attempt"; flow:to_client,established; file_data; content:"BBHideVAD"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000445; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Earthworm CnC tool download attempt"; flow:to_client,established; file_data; content:"Make_Net_CMD"; fast_pattern:only; content:"understand_and_do_it"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000446; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE KeychainDumper Keychain dumper tool download attempt"; flow:to_client,established; file_data; content:"dumpKeychainEntitlements"; fast_pattern:only; content:"Password"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000447; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE SharpWeb browser password dumper tool download attempt"; flow:to_client,established; file_data; content:">k__BackingField|00|<encryptedPassword>k__BackingField"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000448; rev:1;) # -------------------- # Date: 2019-01-08 # Title: Osx.Trojan.LamePyre # Reference: # - https://blog.malwarebytes.com/detections/osx-lamepyre/ <https://blog.malwarebytes.com/detections/osx-lamepyre/> # - https://objective-see.com/blog/blog_0x3C.html <https://objective-see.com/blog/blog_0x3C.html> # Tests: pcaps # Yara: # - MALWARE_Osx_Trojan_LamePyre # ClamAV: # - MALWARE_Osx.Trojan.LamePyre # Hashes: # - a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b > .app # - 3952499a96ee1ce49b0b4a2eabaa9ea819012cf146cc95d5a0c876938bdfb65c > Application Stub # - 88d5e1cfdc6bf3824cb5227827ba2f790eaaad512693de6b72d29fdb1db46081 > helper # - 31935f731329487c87b96653f6c3936cca6cbed64f800ad24047e3bfa1434969 > systemkeep alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre initial outbound connection"; flow:to_server,established; urilen:10; content:"/index.asp"; http_uri; content:"Connection: close|0D 0A|"; http_header; content:"Accept-Encoding: identity|0D 0A|"; http_header; content:!"Accept:"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000449; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre screenshot exfiltration outbound connection"; flow:to_server,established; content:"/handler.php?uid="; fast_pattern:only; http_uri; content:"Expect:"; http_header; content:"Content-Type: multipart/form-data"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000450; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.LamePyre screenshot exfiltration outbound connection"; flow:to_server,established; content:"|3B| filename=|22|alloy.png|22|"; fast_pattern:only; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000451; rev:1;) # -------------------- # Date: 2019-01-08 # Title: Osx.Trojan.FairyTail # Reference: # - https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/ <https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/> # - https://objective-see.com/blog/blog_0x3C.html <https://objective-see.com/blog/blog_0x3C.html> # Tests: pcaps # Yara: # - MALWARE_Osx_Trojan_Genieo # - MALWARE_Osx_Trojan_MacSearch # ClamAV: # - MALWARE_Osx.Trojan.Genieo # - MALWARE_Osx.Trojan.MacSearch # Hashes: # - 4eaa4caea4ac543516ffc9954a901e8b8e8c623fcce48304ea74d7a74218683b > .app # - 850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8 > LinqurySearch # - f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4 > macsearch # - a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66 > SpellingChecker alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTail initial outbound connection request"; flow:to_server,established; urilen:10; content:"/hello.txt"; fast_pattern:only; http_uri; content:"SpellingChecker/"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000452; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection attempt"; flow:to_server,established; content:"/download/"; http_uri; content:"User-Agent: LinqurySearch"; http_header; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000453; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection attempt"; flow:to_server,established; content:"User-Agent: macsearch/"; fast_pattern:only; http_header; content:"/MaxMind.asmx/"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000454; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.FairyTale outbound connection attempt"; flow:to_server,established; content:"User-Agent: macsearch/"; fast_pattern:only; http_header; content:"StatisticsService.svc/"; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000455; rev:1;) # -------------------- # Date: 2019-01-09 # Title: Win.Trojan.Agent # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Agent # ClamAV: # - MALWARE_Win.Trojan.Agent # Hashes: # - 4fd37dc5eaa90a02a53b2c2df42c21e6017a925b65cedf62c69aa757be49e144 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection attempt"; flow:to_server,established; content:"/get.php HTTP/1.0"; fast_pattern:only; content:"=JWExJTNkaSUxOH"; within:20; http_client_body; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000458; rev:1;) # -------------------- # Date: 2019-01-10 # Title: Win.Trojan.Ditniu/Siggen2/Zenpak # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_Ditniu # ClamAV: # - MALWARE_Win.Trojan.Ditniu-VAR1 # - MALWARE_Win.Trojan.Ditniu-VAR2 # - MALWARE_Win.Trojan.Ditniu-VAR3 # - MALWARE_Win.Trojan.Ditniu-Signed-Revoked # - MALWARE_Win.Trojan.Ditniu-Signed1 # - MALWARE_Win.Trojan.Ditniu-Signed2 # - MALWARE_Win.Trojan.Ditniu-Signed3 # Hashes: # - 3a835af7d9da2a2f033ca685bac69a9c853b218f553eec742ca1e2c474f5ce78 > NSIS Archive, sample not acquired # - 3969347db2908336311c9b13d3ece00fd8e28c181a5eac556036bc3d48e56dac # - 3d3fc2e343a08ecd24b5b4d0a040e956f276c292786eddc46d9725d7043e669e # - 4aea200d1080627722df30737dac955dc987f0ffc67cd7861a6440e94dd164e7 > Password-protected NSIS, Password: X9e5UD6AN1vQCK08DM4O # - 5a58e561d49ba36292bf603cf516a1cef686e17285d466e5c1979d266227f0e6 # - 7a6477c2e7e38becf1861fe5253641dcd789b5c523b9d788114befa21b748780 # - 7ceca4f5ca3ef254f7d6e2c0a217966a2d948b613b0ae476d34b0ece9704da4c > Extracted from 4aea200d10 # - 7cefbff477eeb8f410a5857babf933d14494df4cb74cec5482dbf8199e64a5bf # - 922dd1efeb601b375bf638d1cdbb6cbd1e74d1a0aa48daf73bd59c13eacd4f45 > Extracted from b689104dfc # - 94e6ba63cf9d38339146b1425ff08588359056d327e94c4f26963d705d78325c # - 96f70e5272ab59e0d28007a6f730fbf8ccf186b6357cc945a7a45d60bfb18f9d # - 9c2a5540b68eebe84c446a05763869ac6ba59b76151bf697639f45c7422a8ad7 # - 9f13dc99e0faf99e0a66e1c5cb2cc5ed950224d96f5c9c2a2cfd343d9de2ddd3 > NSIS Archive, sample not acquired # - b37e7c2dc32f010682ef024f9b99e962347ad3f3be2c6f1a00a08cb7a929a3fb # - b689104dfcb1974ab48556505fb9dc6e1a356c21fda59d5d954f85b16b19a1bc > Password-protected NSIS, Password: X9e5UD6AN1vQCK08DM4O # - c053dc67c13eddce93ae2d17d8fb1958a0ed71657e93ed540e6c0d1ea92b6129 > Extracted from efcee275d2 # - d60e7f5f03ffcd04c3f69add8b63763294bc59d14572fd1a3bf767accd9ff1f6 # - dfff04d811715510176326a190d576d66cec3a92d01829f5bbcc291182682e55 # - efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74 > Password-protected NSIS, Password: X9e5UD6AN1vQCK08DM4O # - f52c4b49bba43c68c0a5436e8c6c2c45c7b4de19729fcedf4343b430fff31bac # - f612e561ebca13ee093402526468b8638d1591fadbdfd31ec3fbc1c73b89d41c > NSIS Archive, sample not acquired # - f875662a13179e215f8f92cb174d7a3988cde71495ae2c7a412c442c676f2889 # Notes: # - Variants connect to a specific set of IPs with the same packet structure. # - All password-protected NSIS archives use the same password > X9e5UD6AN1vQCK08DM4O (screenshot attached). # - Binaries extracted from NSIS archive has .cab extension. # - Persisted binaries have similar naming conventions. # - Anti-debug (screenshot attached): # boxservice.exe, vboxtray.exe, vmusrvc.exe, vmsrvc.exe, # qemu-ga.exe, xenservice.exe, python.exe, ProcessHacker.exe, # tcpview.exe, autorunsc.exe, autorunsc.exe, idaq.exe, idaq64.exe, # HookExplorer.exe, ImportREC.exe, PETools.exe, LordPE.exe, SysInspector.exe alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ditniu outbound connection attempt"; flow:to_server,established; dsize:14; content:"GCRG"; offset:4; depth:4; fast_pattern; content:"|00 00 02 00|"; distance:1; isdataat:!1,relative; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000459; rev:1;) # -------------------- # Date: 2019-01-15 # Title: A Zebrocy Go Downloader # Reference: https://securelist.com/a-zebrocy-go-downloader/89419/ <https://securelist.com/a-zebrocy-go-downloader/89419/> # Tests: NA # Yara: NA # ClamAV: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection attempt"; flow:to_server,established; content:"/software-apptication/help-support-apl/getidpolapl.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000460; rev:1;) <1.PNG><2.PNG>_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signature 021 Y M via Snort-sigs (Jan 15)
- Re: Multiple signature 021 Matthew Mickel (Jan 15)