""ET CURRENT_EVENTS KaiXin Landing Page M2""

SID: 2020407

Revision: 5

Class Type: trojan-activity

Metadata: created_at 2015_02_12, updated_at 2015_02_20

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: from_server,established

Contents:

• Value: "deconcept.SWFObjectUtil.getPlayerVersion"

• Value: "navigator.userAgent.toLowerCase()|3b|"

• Value: "if|28|document.cookie"

• Value: "var "

Within:

PCRE: "/^(?P[A-Za-z0-9]+)\s?=\s?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if(document.cookie[^\r\n]+([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]n[\x22\x27+\s]d[\x22\x27+\s]e[\x22\x27+\s]x[\x22\x27+\s]O[\x22\x27+\s]f[\x22\x27+\s]\x5d?(\s?[\x22\x27]b[\x22\x27+\s]o[\x22\x27+\s]t[\x22\x27+\s][\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]n[\x22\x27+\s]d[\x22\x27+\s]e[\x22\x27+\s]x[\x22\x27+\s]O[\x22\x27+\s]f[\x22\x27+\s]\x5d?(\s?[\x22\x27]s[\x22\x27+\s]p[\x22\x27+\s]i[\x22\x27+\s]d[\x22\x27+\s]e[\x22\x27+\s]r[\x22\x27+\s]*[\x22\x27]/Rs"

Special Options:

• file_data

• fast_pattern

source