Et rule 2041453 - Magic-SigExplorer

""ET TROJAN Blackmagic Ransomware Checkin Activity (GET)""

SID: 2041453

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_12_01, deployment Perimeter, malware_family BlackMagic, signature_severity Major, tag Ransomware, updated_at 2022_12_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "/api/public/api/test?ip=" Depth: 24
Value: "-&status="
Value: "&cnt="
Value: "&type="
Value: "&num="

Within:

PCRE: "/^Host\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20[^\r\n]+[\r\n]+$/H"

Special Options:

http_method
http_uri
fast_pattern
http_uri
http_uri
http_uri
http_uri

source