[Emerging-Sigs] njrat version 0.7d sigs

Will Metcalf william.metcalf at gmail.com
Tue Sep 23 09:34:10 EDT 2014


Awesome thanks Patrick! We will get these into QA.  Any chance you can
share your test PCAP off-list? If not that is okay as well.

Regards,

Will

On Tue, Sep 23, 2014 at 8:08 AM, Patrick Olsen <
patrickolsen at sysforensics.org> wrote:

> All,
>
> I downloaded the njrat version 0.7d builder this evening and generated a
> range of activities with it. I ran the latest ET trojan rules (specifically
> looking at ET TROJAN Bladabindi/njrat CnC) against two pcaps I have and
> didn't get any hits on them. I believe where the rules are falling short is
> the depth values that are set. They trigger on a few of them if you remove
> it. In either case I re-wrote the rules.
>
> They would only trigger if I had -k none (Checksum mode set to none). This
> was the case with a live pcap and my test/controlled pcap.
>
> The hash referenced is the archive of the njrat builder. You can download
> it from VT.
>
> I decided to break them out into what the command issued is (Ex.
> Keylogging). All the return values are base64 encoded.
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Capture)"; flow:from_client,established; content:!"GET|20|";
> content:"|FF D8 FF E0 00 10 4A 46 49 46|"; fast_pattern;
> content:"|00|CAP|7c 27 7c 27 7c|";
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100001; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c
> 27 7c 27 7c|"; fast_pattern;
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100002; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27
> 7c 27 7c|"; fast_pattern; content:"Executed As";
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100003; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c
> 27 7c 27 7c|"; fast_pattern;
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100004; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Services Listing)"; flow:from_client,established;
> content:"|00|srv|7C 27 7C 27 7C|"; fast_pattern;
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100005; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Registry Listing)"; flow:from_client,established;
> content:"|00|RG|7C 27 7C 27 7C|"; fast_pattern;
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100006; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Process Listing)"; flow:from_client,established;
> content:"|00|proc|7C 27 7C 27 7C|"; fast_pattern;
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100007; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (File Manager Actions)"; flow:from_client,established;
> content:"|00|fm|7C 27 7C 27 7C|"; fast_pattern;
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100008; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27
> 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441;
> classtype:trojan-activity; sid:100009; rev:1;)
>
> alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC
> Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|";
> fast_pattern; content:"0.7d";
> reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity;
> sid:100010; rev:1;)
>
> Thanks,
>
> Patrick
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140923/b7769e14/attachment.html>


More information about the Emerging-sigs mailing list