""ET TROJAN Win32/Snojan Variant Sending System Information (POST)""

SID: 2044259

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2023_02_21, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, updated_at 2023_02_21

Reference:

  • md5

  • 21b75d95a833c8e366747afcb4b25051

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: ".php"

  • Value: "NetBios|20|name|3a 20|"

  • Value: "|0d 0a|Username|3a 20|"

  • Value: "|0d 0a|Operating|20|system|3a 20|"

Within:

PCRE: "/^Content-Type\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nContent-Length\x3a\x20[^\r\n]+\r\nExpect\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+[\r\n]+$/H"

Special Options:

  • http_method

  • http_uri

  • http_client_body

  • http_client_body

  • fast_pattern

  • http_client_body

source