""ET TROJAN Win32/SparkRAT CnC Checkin (GET)""
SID: 2046669
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_27, deployment Perimeter, malware_family SparkRAT, confidence High, signature_severity Critical, updated_at 2023_11_10, reviewed_at 2024_01_26
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "GET"
-
Value: "/ws"
-
Value: "Key|3a 20|"
-
Value: "|0d 0a|Sec|2d|WebSocket|2d|Version|3a 20|13|0d 0a|UUID|3a 20|"
-
Value: "Upgrade|3a 20|websocket"
-
Value: "Go|2d|http|2d|client|2f|1|2e|1"
-
Value: "|0d 0a|User|2d|Agent|3a 20|Go|2d|http|2d|client|2f|1|2e|1|0d 0a|"
-
Value: "Connection|3a 20|Upgrade|0d 0a|"
Within:
PCRE: "/^Host\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\nKey\x3a\x20[^\r\n]+\r\nSec-WebSocket-Key\x3a\x20[^\r\n]+\r\nSec-WebSocket-Version\x3a\x20[^\r\n]+\r\nUUID\x3a\x20[^\r\n]+\r\nUpgrade|0d 0a 0d 0a|/H"
Special Options:
-
http_method
-
http_uri
-
http_header
-
http_header
-
http_header
-
http_header
-
http_header
-
http_header