alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jiripbot CnC? 1"; flow:to_server,established; content:"/status"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; content:"Host|3a 20|jdk."; http_header; pcre:"/^[a-f0-9]{32}\.org/RH"; content:"SSID="; http_cookie; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/C"; content:"A="; http_cookie; metadata: former_category MALWARE; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:4; metadata:created_at 2015_07_21, updated_at 2019_10_07;)

Added 2019-10-08 19:34:30 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jiripbot CnC? 1"; flow:to_server,established; content:"/status"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; content:"Host|3a 20|jdk."; http_header; pcre:"/^[a-f0-9]{32}\.org/RH"; content:"SSID="; http_cookie; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/C"; content:"A="; http_cookie; metadata: former_category MALWARE; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:3; metadata:created_at 2015_07_21, updated_at 2015_07_21;)

Added 2019-09-19 19:26:25 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jiripbot CnC? 1"; flow:to_server,established; content:"/status"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; content:"Host|3a 20|jdk."; http_header; pcre:"/^[a-f0-9]{32}\.org/RH"; content:"SSID="; http_cookie; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/C"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:3; metadata:created_at 2015_07_21, updated_at 2015_07_21;)

Added 2018-09-13 19:51:28 UTC


Added 2018-09-13 18:00:14 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jiripbot CnC? 1"; flow:to_server,established; content:"/status"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; content:"Host|3a 20|jdk."; http_header; pcre:"/^[a-f0-9]{32}\.org/RH"; content:"SSID="; http_cookie; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/C"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:3; metadata:created_at 2015_07_21, updated_at 2015_07_21;)

Added 2017-08-07 21:16:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jiripbot CnC? 1"; flow:to_server,established; content:"/status"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; content:"Host|3a 20|jdk."; http_header; pcre:"/^[a-f0-9]{32}\.org/RH"; content:"SSID="; http_cookie; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/C"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:3;)

Added 2015-07-21 20:38:09 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats