""ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names""

SID: 2017181

Revision: 6

Class Type: trojan-activity

Metadata: created_at 2013_07_24, updated_at 2015_12_23

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: !"smartsvn.com"

• Value: "PK|01 02|"

Within:

PCRE: "/PK\x01\x02.{42}(?P

[a-z]{7,}\/)([a-z$]+.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(.[a-z]{3})?)?PK\x05\x06.{18}$/s"

Special Options:

• http_header

• file_data

source