[Snort-sigs] Win.Trojan.Dunihi

Joel Esler (jesler) jesler at cisco.com
Tue May 8 23:13:22 EDT 2018


What are you trying to do?  Download the rule?  You have to be a paid subscriber, download the ruleset, and then you can get the rule from inside the tarball, along with all of our other up to date rules.

Sent from my iPad

On May 8, 2018, at 11:11 PM, Ernest Johnson <ernest.johnson2 at gmail.com<mailto:ernest.johnson2 at gmail.com>> wrote:

Do i just log in and do a search for it?

On Tue, May 8, 2018, 8:29 PM Joel Esler (jesler) <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:
We do have a rule for GandCrab malware.  It's sid 45694.  Available in our subscriber ruleset at https://www.snort.org/downloads#rules

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com




On May 8, 2018, at 10:23 AM, Ernest Johnson via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:

Phill

do you have a signature for Gand Crab Ransomware

to alert or block it ?

On Mon, May 7, 2018 at 12:06 PM, Y M via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:
[Boxbe]<https://www.boxbe.com/overview> [http://www.boxbe.com/stfopen?tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001]  This message is eligible for Automatic Cleanup! (snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>) Add cleanup rule<https://www.boxbe.com/popup?url=https%3A%2F%2Fwww.boxbe.com%2Fcleanup%3Fkey%3DIk6H7YmJlqLVFBg5q%252FXyPeMCjrDP%252BTGxm6dIFxTyM4I%253D%26token%3DaDn4g3lOf29q0IDXR%252F24FVz6eC12yhKWSZBWSDTcvHDTnWhCGMPt%252BVMWzbVL633ogkDfWBhr2Im415Cp0zmDS%252FdEX65I0bD9gOYkvSvXo0PDoRacZfL2WX%252BQQrL5aEuiTJoAi136s5uciXhxfHNS9Q%253D%253D&tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001> | More info<http://blog.boxbe.com/general/boxbe-automatic-cleanup?tc_serial=39029866946&tc_rand=514401434&utm_source=stf&utm_medium=email&utm_campaign=ANNO_CLEANUP_ADD&utm_content=001>

Hi,

Pcap is available for this as retrieved from the reference.

# --------------------
# Date: 2018-05-07
# Title: JacksBot, Dunihi
# Tests: pcap
# Reference: https://twitter.com/James_inthe_box/status/993508601862832130, https://app.any.run/tasks/7533e2da-24b1-424c-8624-dbb764852020

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/is-ready"; fast_pattern:only; http_uri; content:"|3C 7C 3E|"; http_header; metadata:ruleset community, service http; reference:url,twitter.com/James_inthe_box/status/993508601862832130<http://twitter.com/James_inthe_box/status/993508601862832130>; reference:url,www.virustotal.com/#/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/detection<http://www.virustotal.com/#/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/detection>; classtype:trojan-activity; sid:8000048; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!




--
Ernest Johnson
504 621 2520
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://Snort.org> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180509/a6e7dc86/attachment-0001.html>


More information about the Snort-sigs mailing list