""ET TROJAN Win32/Atraps Receiving Config via Image File (steganography)""
SID: 2025070
Revision: 2
Class Type: trojan-activity
Metadata: created_at 2016_04_06, updated_at 2017_11_29
Reference:
-
md5
-
3dce01df285b3570738051672664068d
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: from_server,established
Contents:
-
Value: "|FF D9 23|"
-
Value: "$|3a|1|3a|$"
Within:
PCRE: "/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"
Special Options:
-
file_data
-
fast_pattern