""ET TROJAN W32/Tobfy.Ransomware Invalid URI CnC Request""

SID: 2016187

Revision: 3

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2014_09_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "/.ru|60|utr/qiq"

• Value: ".my-files-download.ru"

Within:

PCRE: "/Host\x3A\x20[^\r\n]*\x2Emy\x2Dfiles\x2Ddownload\x2Eru/H"

Special Options:

• http_uri

• http_header

source