Setup_2022.exe resolves greatnorthwill.com (91.213.121.52) and calls home via a GET request:
GET /?mod=vv&i=1&id=2022 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: greatnorthwill.com
Cache-Control: no-cache
For the signature I used the parameter names and the User-Agent string:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Setup_2022.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?mod="; uricontent:"&i="; uricontent:"&id="; content:"User-Agent\: Mozilla|0D 0A|"; sid:012220101;)
"mod" and "i" stayed static on the test runs.
References:
Virustotal
ThreatExpert
GET /?mod=vv&i=1&id=2022 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: greatnorthwill.com
Cache-Control: no-cache
For the signature I used the parameter names and the User-Agent string:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Setup_2022.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?mod="; uricontent:"&i="; uricontent:"&id="; content:"User-Agent\: Mozilla|0D 0A|"; sid:012220101;)
"mod" and "i" stayed static on the test runs.
References:
Virustotal
ThreatExpert
No comments:
Post a Comment