Snort mailing list archives
Re: Multiple signatures 030
From: Matthew Mickel <mmickel () sourcefire com>
Date: Fri, 7 Jun 2019 14:32:41 -0400
Hi, Yaser- Thanks for your submissions. We will process them and get back to you when we've finished. Any PCAPs or Yara/ClamAV signatures you can share are greatly appreciated. Best, Matt Mickel
On Jun 7, 2019, at 6:52 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote: Hello, Please find below Snort rules. Yara/ClamAV signatures are available for all cases while PCAPs are available for the majority of them Thank you. YM # -------------------- # Title: Operation ShadowHammer: a high-profile supply chain attack # Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ <https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/> # Tests: syntax only # Yara: # - MALWARE_Win_Trojan_ShadowPadv2 # ClamAV: # - MALWARE_Win.Trojan.ShadowPadv2 # Hashes: # - 3965b3bdb7e1df135f6a7f096977a07ef1fc2bccf255a0199dbb3f5b7138dddd # - 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd # - d98c5faf7e95eb6c2aaac7c66c9ec203785b52130c6083f0e459b4865150be8c # - d4c5b4eef9c9b8776385ed6fc416da1a4377bd109ba9a4c301a3e5d37799eaf0 # - f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661 # Note: # - Read through the reference under "ShadowPad connection" and "Other victims". # - The last hash (f4d57acde4...) was triaged and is not listed in the reference's # IoC list, but successfully detected still. # - Listener uses Strong wildcard. HTTP request headers must be confirmed first. # - The "v2" is just a made up name to make a distinction from the original one. alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ShadowPadv2 potential inbound connection"; flow:to_server,established; content:"/requested.html"; nocase; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000675; rev:1;) # -------------------- # Title: Win.Ransomware.Buran # Reference: Research # Reference: https://id-ransomware.blogspot.com/2019/05/buran-ransomware.html <https://id-ransomware.blogspot.com/2019/05/buran-ransomware.html> # Reference: https://www.bleepingcomputer.com/news/security/the-rig-exploit-kit-is-now-pushing-the-buran-ransomware/ <https://www.bleepingcomputer.com/news/security/the-rig-exploit-kit-is-now-pushing-the-buran-ransomware/> # Tests: pcaps # Yara: # - MALWARE_Win_Ransomware_Buran_1 # - MALWARE_Win_Ransomware_Buran_2 # ClamAV: # - MALWARE_Win.Ransomware.Buran-1 # - MALWARE_Win.Ransomware.Buran-2 # Hashes: # - 0bed6711e6db24563a66ee99928864e8cf3f8cff0636c1efca1b14ef15941603 # - 4950feae35849e8f48ace0af8c7808c5ee28a9365103788fe22cb80e36d0ec7e # - 7274978bc592b127af9f5df11fc730fb0931c2276a83eea4488ce4dede40ed3e # - 763a5d28ec7ddfc50e086f7ffe814807487171effd0a8704d356e99f176d9b07 # - ba809c00f829015cb70f26fe1be979f5a372e346d0e974252e8c3ee18b21dd22 # Note: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Buran outbound external IP address check"; flow:to_server,established; content:"User-Agent: BURAN|0D 0A|"; fast_pattern:only; http_header; content:"Referer:"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000676; rev:1;) # -------------------- # Title: Win.Ransomware.JoeGo # Reference: Research # Reference: https://id-ransomware.blogspot.com/2019/04/joego-ransomware.html <https://id-ransomware.blogspot.com/2019/04/joego-ransomware.html> # Tests: pcaps # Yara: # - MALWARE_Win_Ransomware_JoeGo # ClamAV: # - MALWARE_Win.Ransomware.JoeGo # Hashes: # - 6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8 # Note: NA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; flow:to_server,established; content:"/checkin.php"; fast_pattern:only; http_uri; content:"homedir="; http_client_body; content:"&username="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000677; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; flow:to_server,established; content:"/detail.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000678; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; flow:to_server,established; content:"/platebni_brana.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000679; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; flow:to_server,established; content:"User-Agent: ransomware|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000680; rev:1;) # -------------------- # Title: Win.Trojan.AveMaria variant # Reference: Research # Tests: pcaps # Yara: # - MALWARE_Win_Trojan_AveMaria # ClamAV: # - MALWARE_Win.Trojan.AveMaria # Hashes: 64a39bc8f77812153983fa2eb7e9c64aeb78d9c724c3336247f7ba0e64e206c8 # Note: NA alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.AveMaria variant initial inbound connection"; flow:to_client,established; dsize:12; content:"|09 12 3B 42 2D 33 A2 44|"; depth:8; fast_pattern; content:"|01 86 73|"; distance:1; metadata:ruleset community; classtype:trojan-activity; sid:8000681; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AveMaria variant outbound connection response"; flow:to_server,established; content:"|09 12 3B 42|"; depth:4; fast_pattern; content:"|A2 44|"; distance:2; content:"|01 86 73|"; distance:1; metadata:ruleset community; classtype:trojan-activity; sid:8000682; rev:1;) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <https://snort.org/faq/what-is-the-mailing-list-etiquette> Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 030 Y M via Snort-sigs (Jun 07)
- Re: Multiple signatures 030 Matthew Mickel (Jun 07)