[Emerging-Sigs] Win32.Backdoor.Randrew.A - CnC Checking

Arvind Kumar arvind.kumar12 at gmail.com
Sun Dec 10 03:16:56 HST 2017


Hi Guys,

Please find the attached rule and pcap.

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS
(msg:"Win32.Backdoor.Randrew.A - CnC Checking";
flow:established,to_server;  content:"GET";  http_method;
content:"/Listen.aspx?A=";  http_uri;  fast_pattern;
content:"Accept-Encoding: gzip"; http_header; pcre:"/[A-Z0-9\-]{30,42}$/U";
metadata: former_category TROJAN;
reference:md5,BFB3C542AD815436EC3F2FD71582AD08B7E7301C;
classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_12_10,
malware_family Randrew.A,
performance_impact Moderate, updated_at 2017_12_10; )



Warm regards
Arvind Kumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171210/46db660a/attachment.html>
-------------- next part --------------
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"Win32.Backdoor.Randrew.A - CnC Checking";  flow:established,to_server;  content:"GET";  http_method;  
content:"/Listen.aspx?A=";  http_uri;  fast_pattern; content:"Accept-Encoding: gzip"; http_header; pcre:"/[A-Z0-9\-]{30,42}$/U"; metadata: former_category TROJAN; reference:md5,BFB3C542AD815436EC3F2FD71582AD08B7E7301C;
classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, 
deployment Perimeter, signature_severity Major, created_at 2017_12_10, malware_family Randrew.A, 
performance_impact Moderate, updated_at 2017_12_10; )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.pcap
Type: application/octet-stream
Size: 8780 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171210/46db660a/attachment.obj>


More information about the Emerging-sigs mailing list