[Emerging-Sigs] SIGS: Critx/Flashpack Flash Request & Payload Request

Kevin Ross kevross33 at googlemail.com
Thu Sep 25 07:13:59 EDT 2014

Oh and FYI malware this tried to get on end machine was CryptoWall but my
stuff extracted the sample. PCAP here:
Also ran that PCAP through my sensors to confirm and came out fine for ET
sig detection.

Kind Regards,
Kevin Ross

On 25 September 2014 09:52, Kevin Ross <kevross33 at googlemail.com> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Critx/Flashpack Flash Exploit Request";
> flow:established,to_server; content:"POST"; http_method;
> content:"/imageclass/newgater.php"; http_uri; content:"fvers=";
> http_client_body; depth:6; classtype:trojan-activity;
> reference:md5,ce0fa5d811e0735369366b76b1efd07a; sid:123991; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Critx/Flashpack Payload Request";
> flow:established,to_server; content:"/imageclass/load"; http_uri;
> content:".php"; http_uri;
> pcre:"/^\x2Fimageclass\x2Fload[a-z0-9]{5,15}\x2Ephp$/U";
> classtype:trojan-activity; reference:md5,cce12efacf5800fb937d40bbf0b0c4b0;
> sid:123992; rev:1;)
> Kind Regards,
> Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140925/27a1d7b2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CryptoWall.png
Type: image/png
Size: 157173 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140925/27a1d7b2/attachment-0001.png>

More information about the Emerging-sigs mailing list