[Emerging-Sigs] Unknown TA Maldoc Check-In

Jason Williams jwilliams at emergingthreats.net
Tue Feb 25 13:09:33 HST 2020


Josh,

Thanks for the share!

Rule looks pretty good, the only minor things we'll add will be a negation
for a referrer and a distance:0 on a content that was missed.

So we'll submit the below to QA for the OPEN set for tomorrow's release and
see how it performs.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible
TA505 Maldoc Check-in"; flow:established,to_server; content:".php?g=";
http_uri; content:"&k="; http_uri; distance:0; content:"&x="; http_uri;
distance:0; content:"@@"; http_uri; distance:0; content:"@@"; http_uri;
distance:0; content:"@@*"; http_uri; fast_pattern; distance:0;
http_header_names; content:!"Referer|0d 0a|";
reference:md5,c53393908f80e993366deec605fe7372; classtype:trojan-activity;
sid:1; rev:1;)

or in suri5...

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible
TA505 Maldoc Check-in"; flow:established,to_server; http.uri;
content:".php?g="; content:"&k="; distance:0; content:"&x="; distance:0;
content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*";
fast_pattern; distance:0; http.header_names; content:!"Referer|0d 0a|";
reference:md5,c53393908f80e993366deec605fe7372; classtype:trojan-activity;
sid:1; rev:1;)

Thanks again!

Jason

On Tue, Feb 25, 2020 at 1:03 PM Josh Stroschein <josh at m9development.com>
wrote:

> Hey all,
>  I was investigating a maldoc that drops a JS file for execution via
> wscript (process activity would be WORD.exe -> CMD.EXE -> WSCRIPT.EXE
> https://app.any.run/tasks/b64fd2da-42fc-407a-9aa5-f070a0281c11) - what
> stood out to me, in addition to the process activity, was that there was no
> network traffic. Assuming it was intended to drop a payload, I dug into the
> JS and figured out it performs some anti-analysis through observing process
> activity. Instead of looking for specific processes though, it gets the
> entire listing as a string then compares the length - too short and it
> stops execution. This seems fairly effective, as it impacted my sandbox and
> a few public ones I tested (such as Any.Run). Unfortunately, after removing
> the anti-analysis I can’t get the hosts to communicate so I’ve been unable
> to get a PCAP. I also haven’t had a chance for a more detailed write-up,
> but posted a few screen captures here:
> https://twitter.com/jstrosch/status/1232380070695710723.  With the help
> of Travis Green, I’ve come up with a signature to detect the check-in (see
> attached). This is my first rule contribution so any feedback would be much
> appreciated.
>
> Thanks,
> Josh Stroschein
> @jstrosch
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200225/05f03953/attachment.html>


More information about the Emerging-sigs mailing list