[Snort-sigs] Win.Torjan.NeutrinoPOS variant

Ernest Johnson ernest.johnson2 at gmail.com
Tue May 8 14:56:16 EDT 2018


can you take a look at these rules and tell me what you think please

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible  POST
GandCrab Ransomware infection"; flow:to_server,established; content:"POST";
nocase; http_method; content:" 78.155.206.6/curl.php?: "; classtype:
ransomware-attack; sid:1000000013; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
GandCrab Ransomware Attack"; flow:to_server,established; content:"GET";
nocase; http_method; content:" ipv4bot.whatismyipaddress.com/”; classtype:
ransomware-attack; sid:1000000012; rev:1;)



alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" Possible
GandCrab Ransomware Attack "; flow:to_server,established; content:
[66.171.248.178, 101.226.79.205, 112.90.141.215,78.155.206.6]"; classtype:
ransomware-attack; sid:1000000014; rev:1;)




On Tue, Apr 3, 2018 at 8:39 AM, Phillip Lee <phillile at sourcefire.com> wrote:

> Yaser,
>
> Thanks for your submission. We will review the rules and get back to you
> when they're finished.
>
> Can you send along the pcap that you have?
>
> Regards,
> Phil Lee
> Cisco Talos
>
> On Apr 3, 2018, at 9:13 AM, Y M via Snort-sigs <snort-sigs at lists.snort.org>
> wrote:
>
> Hi,
>
> A pcap for this one is available.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Banker NeutrinoPOS variant outbound connection";
> flow:to_server,established; content:"GET"; http_method;
> content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&99=";
> http_uri; content:"&f1="; http_uri; content:"Accept-Charset|3A 20|";
> http_header; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/123275cc76ef377986715c98abb0fe
> c50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity;
> sid:9000049; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Banker NeutrinoPOS variant outbound connection";
> flow:to_server,established; content:"POST"; http_method;
> content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&req=";
> http_uri; content:!"Connection"; http_header; content:"1="; within:3;
> http_client_body; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/123275cc76ef377986715c98abb0fe
> c50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity;
> sid:9000050; rev:1;)
>
> Thanks.
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-
> etiquette
>
> Visit the Snort.org <http://snort.org/> to subscribe to the official
> Snort ruleset, make sure to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>


-- 
Ernest Johnson
504 621 2520
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180508/b6c05599/attachment-0001.html>


More information about the Snort-sigs mailing list