Et rule 2036980 - Magic-SigExplorer

SID: 2036980

Revision: 2

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, malware_family Mongall, malware_family Loxes, malware_family AoqinDragon, signature_severity Major, tag c2, updated_at 2022_06_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_server

Contents:

Value: "GET /" Depth: 5
Value: !"Accept"
Value: !"Content-"
Value: !"Referer|3a|"
Value: "|20|HTTP/1."
Value: "|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36|0d 0a|"

Within:

PCRE: "/^GET \/(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})(?:[a-zA-Z=]{4})?(?:\x20?)\x20HTTP\/1./"

Special Options:

source

""ET TROJAN Loxes/Mongall Related CnC Beacon M2 (GET)""