[Snort-sigs] Win.Ransomware.Satan

Y M snort at outlook.com
Tue May 1 09:21:27 EDT 2018


Hi,

This one does not have a pcap. Though, the reference has good information.

# Date: 2018-05-01
# Title: Satan Ransomware
# Tests: systax only
# Reference: https://bartblaze.blogspot.qa/2018/04/satan-ransomware-adds-eternalblue.html

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Satan post-infection outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/data/token.php?"; fast_pattern:only; http_uri; content:"status="; http_uri; content:"&code="; http_uri; metadata:ruleset community, service http; reference:url,bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html; classtype:trojan-activity; sid:8000036; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180501/5804475e/attachment-0001.html>


More information about the Snort-sigs mailing list