[Emerging-Sigs] Machete sigs

Jack Mott jmott at emergingthreats.net
Thu Aug 15 08:47:12 HDT 2019


Thanks, Travis!

We will take a look at get these into QA for today's release!

Best,

jack

On Thu, Aug 15, 2019 at 11:43 AM Travis Green <travis at travisgreen.net>
wrote:

> List friends,
> While following up on the excellent research from ESET on the Machete
> malware, I was able to put some sigs together for it (details here:
> http://travisgreen.net/2019/08/14/machete-malware.html).
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Py.Machete
> HTTP Exfil"; flow:established,to_server; content:"POST"; http_method;
> content:"namepc="; http_client_body; content:"nadir="; http_client_body;
> content:"menrut0="; http_client_body; content:"menfile0=";
> http_client_body; content:"mens0="; http_client_body; reference:url,
> travisgreen.net/2019/08/14/machete-malware.html;
> classtype:trojan-activity; sid:1003911; rev:1;)
>
> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Py.Machete
> FTP Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip";
> depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html;
> classtype:trojan-activity; sid:1003912; rev:1;)
>
> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Py.Machete
> FTP Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip";
> depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html;
> classtype:trojan-activity; sid:1003913; rev:1;)
>
> Feedback welcomed,
> -T
>
> --
> PGP: ABE625E6
> keybase.io/travisbgreen
> calendly.com/travisgreen
> travisgreen.net
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190815/e8caf5a1/attachment-0001.html>


More information about the Emerging-sigs mailing list