Et rule 2027102 - Magic-SigExplorer

""ET CURRENT_EVENTS Inbound JasperLoader Using Array Push Obfuscation""

SID: 2027102

Revision: 4

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2019_03_27

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "200"
Value: "|20|=|20|new|20|Array|28 29 3b|" Depth: 50
Value: ".push|28 22|"
Value: ".push|28 22 22 29 0d 0a|"
Value: "eval|28|"

Within:

PCRE: "/^(?:\x22|[\x20-\x7e]{0,70}\x22)\x29\x3b\s[^.]+(?.push\x28\x22)(?:\x22|[\x20-\x7e]{0,70}\x22)\x29\x3b\s[^.]+(?P=pushvar)(?:[\x20-\x7e]{0,70}\x22)\x29\x3b\s[^.]+(?P=pushvar)(?:[\x20-\x7e]{0,70}\x22)\x29\x3b\s[^.]+(?P=pushvar)/Ri"

Special Options:

http_stat_code
file_data
fast_pattern

source