[Emerging-Sigs] Downloader.Win32.op17

Attack Detection attackdetectionteam at gmail.com
Fri Dec 15 06:56:32 HST 2017


Hi.
    Signature for detecting connections to C2. Infrastructure for sending
malicious payload to victum.
I will give several links:
https://threatcrowd.org/domain.php?domain=v1.eakalra.ru
http://www.freebuf.com/articles/terminal/153428.html

Pcaps(36):
https://www.dropbox.com/sh/6tueeu7vo1o205s/AABhgsH9BVbmBVcZWbou1nBpa?dl=0

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "[PT MALWARE]
Downloader.Win32.op17 Response TCP";
flow: established, to_client;
dsize: 517;
content: "|45362718|";depth:4;
classtype: trojan-activity; metadata: autosign, id_278116,created_at
2017_7_14;sid: 10001127; rev: 3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "[PT MALWARE]
Downloader.Win32.op17 Request TCP";
flow: established, to_server;
dsize: 170;
content: "|453627180820|";depth:6;
classtype: trojan-activity; metadata: autosign, id_302156,created_at
2017_7_14;sid: 10001126; rev: 3;)

Best regards,
John.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171215/b8e814b9/attachment.html>


More information about the Emerging-sigs mailing list