[Snort-sigs] Win.Ransomware.Sage

Y M snort at ...3751...
Fri Feb 10 04:12:51 EST 2017


This one for Sage "2.0" ransomware performing its post-infection C&C. There are several samples circulating. I have seen references mentioning that Sage is a variant of CryLocker, but some of the samples generate the same UDP traffic observed from Cerber. The ransom notes also resembles that of Cerber.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:" / HTTP/1."; content:"Connection|3A 20|close|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:3,>,160,0,string,dec,relative; byte_test:3,<,170,0,string,dec,relative; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000824; rev:1;)

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/612fa988/attachment.html>

More information about the Snort-sigs mailing list