[Emerging-Sigs] Rule for Adwind new certificate.

James Emery-Callcott jcallcott at emergingthreats.net
Thu Jan 18 06:10:16 HST 2018


Hi John,

Thanks for sending this in.
We'll take a look and push to QA asap.

Thanks,
James.

On Thu, Jan 18, 2018 at 2:41 PM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi. For Adwind rat, write new rules for new certificate.
>
> Suricata 3.x version:
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity]
> Possible Adwind SSL Cert (khgvjbk)";flow:established,
> from_server;content:"|0b|";content:"|04 70 fe e3 2f|"; distance:18;
> within:20;content:"|55 04 0a|"; distance:0;content:"|07|khgvjbk";
> distance:1; within:13; fast_pattern;reference:md5,
> f2bf38a25919e24f0c96d9ec30e4e8d4;classtype:trojan-activity; sid:1; rev:1;
> metadata:attack_target Client_Endpoint, deployment Perimeter, tag
> SSL_Malicious_Cert, signature_severity Major, created_at 2018_01_18;)
>
> Suricata 4.x version:
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity]
> Possible Adwind SSL Cert (khgvjbk)"; flow:established,from_server;tls_cert_serial;
> content: "70:FE:E3:2F"; fast_pattern; tls_cert_issuer;
> content:"hgfyuilijhk"; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4;
> classtype:trojan-activity; sid: 2; rev:1; metadata:attack_target
> Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert,
> signature_severity Major, created_at 2018_01_18;)
>
> Links:
> Pcap
> https://www.dropbox.com/s/2q9i5o9saqxnj82/abc5d2316a6ec2f097ae4b9d2013e1
> eb8f29b2520a883398632b199029e22cf2.pcap.gz?dl=0
>
> Sample
> https://www.dropbox.com/s/yetg13mqi0ozbdq/31df0287875d5a7de4c1a78d31f69e
> 39acc8c219355dd59bef8883a95c9b4a09.tar.gz?dl=0
>
> Analysis
> https://www.hybrid-analysis.com/sample/31df0287875d5a7de4c1a78d31f69e
> 39acc8c219355dd59bef8883a95c9b4a09?environmentId=100
>
> Best regards,
> John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180118/2448f9f2/attachment.html>


More information about the Emerging-sigs mailing list