[Snort-sigs] Win.Trojan.Nemucod JS

O C snort at outlook.com
Tue May 29 13:23:29 EDT 2018


Hi,

The lead for these rules is from reference [1]. But I was not able to acquire the JS mentioned in it. However, I found a similar JS behaving exactly the same, with additional GitHub as well as CodePlex profiles for C&C. No pcaps available for this one.

# --------------------
# Date: 2018-05-27
# Title: JavaScript based Bot using Github C&C
# Tests: syntax only
# Reference:
#   [1] http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html
#   [2] https://www.virustotal.com/#/file/54c25b9fedcec02d74c780412d7c50285b7837eac2d3daf23e8e4aca42ad5d71/detection
#   [3] https://www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection
#   [4] https://www.hybrid-analysis.com/sample/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3?environmentId=120
# Profiles:
#   - https://raw.githubusercontent.com/deadpooool/news/master/README.md
#   - https://raw.githubusercontent.com/anvaperhdfjkdhud/1234/master/README.md
#   - https://www.codeplex.com/site/users/view/saidjaosdjo
#   - https://raw.githubusercontent.com/iuasbduias/auhidshas/master/README.md

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=getSerial"; fast_pattern:only; http_client_body; content:"&computer_name="; http_client_body; content:"&username="; http_client_body; content:"&version="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000065; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=getCommand"; fast_pattern:only; http_client_body; content:"&uid="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000066; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=sendScreenshot"; fast_pattern:only; content:"&uid="; http_client_body; content:"&data="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000067; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"action=up"; fast_pattern:only; content:"&uid="; http_client_body; content:"&antivirus="; http_client_body; content:"Content-Type: application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000068; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Nemucod JS response"; flow:to_client,established; file_data; content:"youwillnotfindthisanywhare"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/4d522c1409494db1918d1d47b98d76e7ae5b39b7f4c4a26ecd13107c6b327dd3/detection; classtype:trojan-activity; sid:8000069; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/63c4c376/attachment-0001.html>


More information about the Snort-sigs mailing list