""ET TROJAN Suspected Win32/TinyNode Activity (Outbound)""

SID: 2038743

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_09_06, deployment Perimeter, malware_family OldGremlin, malware_family TinyNode, signature_severity Major, updated_at 2022_11_21

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_server

Contents:

• Value: "|7b 22|ok|22 3a|true,|22|result|22 3a|" Depth: 20

• Value: "|7b 30 2e|"

• Value: !"User-Agent|3a 20|"

• Value: !"Host|3a 20|"

Within:

PCRE: "/^[0-9]{15,16}\x7d$/R"

Special Options:

• fast_pattern

source