1:40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this locky ransomware alert didn't include documentation.

1 40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/information.cgi"; depth:16; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40910; rev:1; )

If I had to guess I think it's related to Lockys massive spray and pray spam campaign or something similar which stated.

The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet: http://xxxxxx / information.cgi ....

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.