alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; http_header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023583; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category TROJAN, malware_family Downloader, malware_family Locky_JS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)

Added 2020-11-05 18:35:57 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; http_header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023583; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category TROJAN, malware_family Downloader, malware_family Locky_JS, performance_impact Low, signature_severity Major, updated_at 2020_03_05;)

Added 2020-08-05 19:12:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; http_header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023583; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_06, malware_family Downloader, malware_family Locky_JS, performance_impact Low, updated_at 2020_03_05;)

Added 2020-03-05 19:36:42 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023583; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_06, malware_family Downloader, malware_family Locky_JS, performance_impact Low, updated_at 2017_04_11;)

Added 2018-09-13 19:53:13 UTC


Added 2018-09-13 18:01:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023583; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_06, malware_family Downloader, malware_family Locky_JS, performance_impact Low, updated_at 2017_04_11;)

Added 2017-08-07 21:18:45 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; classtype:trojan-activity; sid:2023583; rev:4;)

Added 2017-05-05 16:58:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2023583; rev:4;)

Added 2017-05-03 17:35:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; classtype:trojan-activity; sid:2023583; rev:4;)

Added 2017-04-10 17:27:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Locky JS Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; classtype:trojan-activity; sid:2023583; rev:3;)

Added 2016-12-12 17:15:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Locky JS Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; classtype:trojan-activity; sid:2023583; rev:2;)

Added 2016-12-07 16:49:15 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Locky JS Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; http_header; depth:30; content:"Firefox"; fast_pattern; http_user_agent; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^Accept\x3a\x20\*\/\*\r\nAccept-Language\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+Firefox[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nHost\x3a\x20/H"; classtype:trojan-activity; sid:2023583; rev:2;)

Added 2016-12-06 17:44:55 UTC


Topic revision: r1 - 2020-11-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats