[Snort-sigs] Win.Backdoor.Joanap

Y M snort at outlook.com
Mon Jun 4 13:21:14 EDT 2018


Hi,

The below signatures are for the Joanap backdoor. No luck with Brambul or Duuzer. Looking at the memory dumps they appear to use the same email medium for C&C with different email addresses. The SMTP C&C sig'ed below was in plaintext for some reason. Pcap is available for this one.

# --------------------
# Date: 2018-06-02
# Title: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
# Tests: pcap
# Reference: https://www.us-cert.gov/ncas/alerts/TA18-149A, https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers
# Hashes:
#    Win.Backdoor.Joanap:
#        - https://www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection
#        - https://www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection
#    Win.Worm.Brambul: NA
#    Win.Backdoor.Duuzer: NA

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Joanap outbound connection"; flow:to_server,established; content:"User-Agent: DavClnt"; fast_pattern:only; http_header; content:"translate: "; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; classtype:trojan-activity; sid:8000102; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Backdoor.Joanap outbound connection"; flow:to_server,established; content:"TO: Joana "; content:"SUBJECT: |5B|T|5D|"; metadata:ruleset community, service smtp; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; classtype:trojan-activity; sid:8000103; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180604/e812c1da/attachment-0001.html>


More information about the Snort-sigs mailing list