[Emerging-Sigs] Question on Sig ID 2841074

Jason Taylor jastaylor at emergingthreats.net
Fri Jun 19 02:49:01 HDT 2020


Hi Leonard,

This rule looks for specifically a java user_agent string and some
other header specific items that are seen with Unrecom/Adwind RAT
traffic. Follow on traffic would have to be checked of course to
confirm.

If you would like additional information/assistance, please feel free
to open a support case and if you could provide pcap(s) that is always
helpful as well.

https://feedback.emergingthreats.net/feedback

Hopefully this helps!

JT

On Thu, Jun 18, 2020 at 4:33 PM Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>
> I am not sure if we are just getting a FP.  Here is the results.
>
> {"timestamp":"2020-06-18T04:21:00.211504+0000","flow_id":1601996690569732,"in_iface":"enp2s0f2","event_type":"alert","src_ip":"x.x.x.x","src_port":54287,"dest_ip":"34.236.80.17","dest_port":80,"proto":"TCP","metadata":{"flowbits":["ET.http.javaclient.vulnerable","ET.JavaNotJar","ET.http.javaclient"]},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2841074,"rev":2,"signature":"ETPRO MALWARE Unrecom Style External IP Check","category":"Malware Command and Control Activity Detected","severity":1,"metadata":{"updated_at":["2020_02_18"],"malware_family":["Unrecom"],"created_at":["2020_02_18"],"signature_severity":["Major"],"deployment":["Perimeter"],"attack_target":["Client_Endpoint"],"affected_product":["Windows_XP_Vista_7_8_10_Server_32_64_Bit"],"former_category":["MALWARE"]}},"http":{"hostname":"checkip.amazonaws.com","url":"\/","http_user_agent":"Java\/1.7.0_211","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":15},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":401,"bytes_toclient":320,"start":"2020-06-18T04:21:00.080388+0000"}}
>
> This appears to be just a IP check on AWS.  But I know malicious actors do use AWS.
>
> Can you give me any insight on this?
>
> Leonard
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list