""ET TROJAN Possible Upatre Downloader SSL certificate (fake loc)""

SID: 2018457

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Significant, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_21

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: 443

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: "|06 03 55 04 07|"

Within:

PCRE: "/^.{2}(?P([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"

Special Options:

source