[Emerging-Sigs] njrat version 0.7d sigs

Patrick Olsen patrickolsen at sysforensics.org
Tue Sep 23 09:08:06 EDT 2014


All,

I downloaded the njrat version 0.7d builder this evening and generated a
range of activities with it. I ran the latest ET trojan rules (specifically
looking at ET TROJAN Bladabindi/njrat CnC) against two pcaps I have and
didn't get any hits on them. I believe where the rules are falling short is
the depth values that are set. They trigger on a few of them if you remove
it. In either case I re-wrote the rules.

They would only trigger if I had -k none (Checksum mode set to none). This
was the case with a live pcap and my test/controlled pcap.

The hash referenced is the archive of the njrat builder. You can download
it from VT.

I decided to break them out into what the command issued is (Ex.
Keylogging). All the return values are base64 encoded.

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Capture)"; flow:from_client,established; content:!"GET|20|";
content:"|FF D8 FF E0 00 10 4A 46 49 46|"; fast_pattern;
content:"|00|CAP|7c 27 7c 27 7c|";
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100001; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c
27 7c 27 7c|"; fast_pattern;
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100002; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27
7c 27 7c|"; fast_pattern; content:"Executed As";
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100003; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c
27 7c 27 7c|"; fast_pattern;
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100004; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Services Listing)"; flow:from_client,established;
content:"|00|srv|7C 27 7C 27 7C|"; fast_pattern;
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100005; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Registry Listing)"; flow:from_client,established;
content:"|00|RG|7C 27 7C 27 7C|"; fast_pattern;
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100006; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Process Listing)"; flow:from_client,established;
content:"|00|proc|7C 27 7C 27 7C|"; fast_pattern;
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100007; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (File Manager Actions)"; flow:from_client,established;
content:"|00|fm|7C 27 7C 27 7C|"; fast_pattern;
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100008; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27
7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441;
classtype:trojan-activity; sid:100009; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|";
fast_pattern; content:"0.7d";
reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
sid:100010; rev:1;)

Thanks,

Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/602596f5/attachment-0001.html>


More information about the Emerging-sigs mailing list