SID: 2036979

Revision: 2

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, malware_family Mongall, malware_family Loxes, malware_family AoqinDragon, signature_severity Major, tag c2, updated_at 2022_06_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_server

Contents:

  • Value: "GET /" Depth: 5

  • Value: !"Accept"

  • Value: !"Content-"

  • Value: !"Referer|3a|"

  • Value: "|20|HTTP/1."

  • Value: "|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b|MSIE 6.0|3b|Windows NT 5.1)|0d 0a|"

Within: 64

PCRE: "/^GET \/(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})(?:[a-zA-Z=]{4})?(?:\x20?)\x20HTTP\/1./"

Special Options:

source