Et rule 2038960 - Magic-SigExplorer

""ET ATTACK_RESPONSE JS/Spy.Banker.LD Credit Card Skimmer Inbound""

SID: 2038960

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_09_23, deployment Perimeter, signature_severity Major, updated_at 2022_09_23

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

Value: "|5c|x43|5c|x72|5c|x65|5c|x64|5c|x69|5c|x74|5c|x2f|5c|x44|5c|x65|5c|x62|5c|x69|5c|x74|5c|x20|5c|x43|5c|x61|5c|x72|5c|x64|5c|x20|5c|x53|5c|x65|5c|x63|5c|x75|5c|x72|5c|x65|5c|x20|5c|x50|5c|x61|5c|x79|5c|x6d|5c|x65|5c|x6e|5c|x74"
Value: "|5c|x43|5c|x61|5c|x72|5c|x64|5c|x68|5c|x6f|5c|x6c|5c|x64|5c|x65|5c|x72"
Value: "|5c|x70|5c|x61|5c|x79|5c|x6d|5c|x65|5c|x6e|5c|x74|5c|x5b|5c|x63|5c|x63|5c|x5f|5c|x6f|5c|x77|5c|x6e|5c|x65|5c|x72|5c|x5d"

Within:

PCRE:

Special Options: