Snort mailing list archives

Re: Multiple signatures 030

From: Matthew Mickel <mmickel () sourcefire com>
Date: Fri, 7 Jun 2019 14:32:41 -0400

Hi, Yaser-

Thanks for your submissions.  We will process them and get back to you when we've finished.  Any PCAPs or Yara/ClamAV 
signatures you can share are greatly appreciated.  Best,

Matt Mickel

On Jun 7, 2019, at 6:52 AM, Y M via Snort-sigs <snort-sigs () lists snort org> wrote:

Hello,

Please find below Snort rules. Yara/ClamAV signatures are available for all cases while PCAPs are available for the 
majority of them

Thank you.
YM

# --------------------
# Title: Operation ShadowHammer: a high-profile supply chain attack
# Reference: https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ 
<https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/>
# Tests: syntax only
# Yara: 
#   - MALWARE_Win_Trojan_ShadowPadv2
# ClamAV:
#   - MALWARE_Win.Trojan.ShadowPadv2
# Hashes:
#   - 3965b3bdb7e1df135f6a7f096977a07ef1fc2bccf255a0199dbb3f5b7138dddd
#   - 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
#   - d98c5faf7e95eb6c2aaac7c66c9ec203785b52130c6083f0e459b4865150be8c
#   - d4c5b4eef9c9b8776385ed6fc416da1a4377bd109ba9a4c301a3e5d37799eaf0
#   - f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661
# Note:
#   - Read through the reference under "ShadowPad connection" and "Other victims".
#   - The last hash (f4d57acde4...) was triaged and is not listed in the reference's 
#     IoC list, but successfully detected still.
#   - Listener uses Strong wildcard. HTTP request headers must be confirmed first.
#   - The "v2" is just a made up name to make a distinction from the original one.

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ShadowPadv2 potential inbound connection"; 
flow:to_server,established; content:"/requested.html"; nocase; fast_pattern:only; http_uri; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000675; rev:1;)

# --------------------
# Title: Win.Ransomware.Buran
# Reference: Research
# Reference: https://id-ransomware.blogspot.com/2019/05/buran-ransomware.html 
<https://id-ransomware.blogspot.com/2019/05/buran-ransomware.html>
# Reference: https://www.bleepingcomputer.com/news/security/the-rig-exploit-kit-is-now-pushing-the-buran-ransomware/ 
<https://www.bleepingcomputer.com/news/security/the-rig-exploit-kit-is-now-pushing-the-buran-ransomware/>
# Tests: pcaps
# Yara: 
#   - MALWARE_Win_Ransomware_Buran_1
#   - MALWARE_Win_Ransomware_Buran_2
# ClamAV:
#   - MALWARE_Win.Ransomware.Buran-1
#   - MALWARE_Win.Ransomware.Buran-2
# Hashes:
#   - 0bed6711e6db24563a66ee99928864e8cf3f8cff0636c1efca1b14ef15941603
#   - 4950feae35849e8f48ace0af8c7808c5ee28a9365103788fe22cb80e36d0ec7e
#   - 7274978bc592b127af9f5df11fc730fb0931c2276a83eea4488ce4dede40ed3e
#   - 763a5d28ec7ddfc50e086f7ffe814807487171effd0a8704d356e99f176d9b07
#   - ba809c00f829015cb70f26fe1be979f5a372e346d0e974252e8c3ee18b21dd22
# Note: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Buran outbound external IP 
address check"; flow:to_server,established; content:"User-Agent: BURAN|0D 0A|"; fast_pattern:only; http_header; 
content:"Referer:"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000676; 
rev:1;)

# --------------------
# Title: Win.Ransomware.JoeGo
# Reference: Research
# Reference: https://id-ransomware.blogspot.com/2019/04/joego-ransomware.html 
<https://id-ransomware.blogspot.com/2019/04/joego-ransomware.html>
# Tests: pcaps
# Yara: 
#   - MALWARE_Win_Ransomware_JoeGo
# ClamAV:
#   - MALWARE_Win.Ransomware.JoeGo
# Hashes:
#   - 6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8
# Note: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; 
flow:to_server,established; content:"/checkin.php"; fast_pattern:only; http_uri; content:"homedir="; 
http_client_body; content:"&username="; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000677; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; 
flow:to_server,established; content:"/detail.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000678; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; 
flow:to_server,established; content:"/platebni_brana.php"; fast_pattern:only; http_uri; content:"id="; 
http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000679; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.JoeGo outbound connection"; 
flow:to_server,established; content:"User-Agent: ransomware|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:trojan-activity; sid:8000680; rev:1;)

# --------------------
# Title: Win.Trojan.AveMaria variant
# Reference: Research
# Tests: pcaps
# Yara: 
#   - MALWARE_Win_Trojan_AveMaria
# ClamAV:
#   - MALWARE_Win.Trojan.AveMaria
# Hashes: 64a39bc8f77812153983fa2eb7e9c64aeb78d9c724c3336247f7ba0e64e206c8
# Note: NA

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.AveMaria variant initial inbound 
connection"; flow:to_client,established; dsize:12; content:"|09 12 3B 42 2D 33 A2 44|"; depth:8; fast_pattern; 
content:"|01 86 73|"; distance:1; metadata:ruleset community; classtype:trojan-activity; sid:8000681; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AveMaria variant outbound connection 
response"; flow:to_server,established; content:"|09 12 3B 42|"; depth:4; fast_pattern; content:"|A2 44|"; distance:2; 
content:"|01 86 73|"; distance:1; metadata:ruleset community; classtype:trojan-activity; sid:8000682; rev:1;)
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>

Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette 
<https://snort.org/faq/what-is-the-mailing-list-etiquette>

Visit the Snort.org <http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads 
<https://snort.org/downloads/#rule-downloads>">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 030 Y M via Snort-sigs (Jun 07)
- Re: Multiple signatures 030 Matthew Mickel (Jun 07)