[Community-sigs] signature of JS downloader
Jean-Baptiste Lanel
jb at lanel.eu
Wed Dec 7 15:07:15 EST 2016
Hello again,
An other one that caught 10 since yesterday night :
jb at newaude:~$ echo
"JS.WScript.shell.Downloader:7:*:5b2273657475746366756c6c79656172225d28223230303322293b69662028*2e67657475746366756c6c7965617228292e746f737472696e6728313029203d3d2022323030332229207b76617220"
|sigtool --decode-sigs
VIRUS NAME: JS.WScript.shell.Downloader
TARGET TYPE: NORMALIZED ASCII TEXT
OFFSET: *
DECODED SIGNATURE:
["setutcfullyear"]("20O3");if
({WILDCARD_ANY_STRING}.getutcfullyear().tostring(10) == "2003") {var
unencrypt with :
openssl aes-256-ecb -a -d -salt -in JS.WScript.shell.Downloader.aes -out
JS.WScript.shell.Downloader.eml
passwd clam
Regards,
JB
Le 07/12/2016 à 18:57, Christopher Marczewski a écrit :
> Jean-Baptiste,
>
> Any chance we can get the e-mail samples, or do these messages contain
> sensitive information not suitable for disclosure?
>
> On Thu, Dec 1, 2016 at 10:23 AM, Christopher Marczewski <
> cmarczewski at sourcefire.com> wrote:
>
>> Hello Jean-Baptiste,
>>
>> Thank you for your submissions. We'll be proceeding with signature reviews
>> and will get back to you as soon as possible.
>>
>> On Wed, Nov 30, 2016 at 9:37 AM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:
>>
>>> Hello,
>>>
>>> An other one that caught 10 emails since yesterday :
>>>
>>> echo "JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a65637
>>> 4282261646f64622e73747265616d22293b*6e657720616374697665786f
>>> 626a6563742822777363726970742e7368656c6c22293b*6e65772061637
>>> 4697665786f626a656374282261646f64622e73747265616d22293b" |sigtool
>>> --decode-sigs
>>> VIRUS NAME: JS.ActiveX.Downloader
>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>> OFFSET: *
>>> DECODED SIGNATURE:
>>> new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
>>> activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
>>> activexobject("adodb.stream");
>>>
>>> (I'm not really confident with the naming convention)
>>>
>>> Regards,
>>>
>>> JB
>>>
>>>
>>> Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
>>>
>>>> Hello sigmakers,
>>>>
>>>> In case it may help, just received 3 mails caught by this :
>>>>
>>>> jb at newaude:~$ echo
>>>>
>>>> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2c332c3222"
>>>> |sigtool --decode-sigs
>>>> VIRUS NAME: JS.HILLARY.Downloader
>>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>>> OFFSET: *
>>>> DECODED SIGNATURE:
>>>> ()]("r,u,n,d,l,l,3,2."
>>>>
>>>> Regards,
>>>>
>>>> JB
>>>>
>>>> _______________________________________________
>>>> Community-sigs mailing list
>>>> Community-sigs at lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>> _______________________________________________
>>> Community-sigs mailing list
>>> Community-sigs at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>> --
>> Christopher Marczewski
>> Research Engineer
>> Talos Group
>> cmarczewski at sourcefire.com
>> Phone: 443.430.7118
>>
>
>
-------------- next part --------------
U2FsdGVkX1/9Odbrms273MrU6DV00h4ZBuN0X19Z0CH47UmSk2kyo4+PsjPBHMpI
qcWjM+9Zv0MwZBgmaI/spWs6divDY/5JeEtdVEA5JPcDvOqRZamFgHOs8K/J4TI8
qKKQN4hL2tIB19iUsdNZbof9KtvxwFew/t5C/FEEu7M8OooveKreyHOyCtO+FO6s
HAZiXjR8JNMeMkGAW1MO59SHU2ipr6byo6WItqn/PK44YuZEpBqXlX+ugbLjXFKk
luxP1u5LTX9+kBYc0QtJDnt8B4WRM22CA03+kiE83GC6skmKnjH+84hDMK/UjLgR
0q7hoh/bgnGop9vHJW/42H9zvgppUqS0bp7kEmxOGOqunnS617GqoFGNK8rjBHIc
/YZRgf0C+7xaQwHQncbjCpbLC+0nMQ3L8t04KK7+lmadEMEgeErkNfvMUjCBYU4J
qHNMGTdB43CbUBCSjxsxTBtgIR3OorEYmBte/Fjaa5xWSBOs4kYGzNTwxxxZFQmO
qSiAHE8HSTR1dztKQGx66IIlpd+4NrhZfctSxGrWvG/vaYejgXUUkrV0Q9AoJvgn
0J+eaYchfjJCyn4dKbuuaLfMLjNAoB4c060+We74CTWwIjaHtR/grgMtzBPl4stK
kknhizE8eRjgYPClQtlpP0Md7r4R5mi+THz9S74DE7P6RCIzJpbwIQpLajwKKI2L
64h+KsMgSZcaNfpOavSZW3uT/fECGK6NOeYhgSgFCEPubOGobPua2wxYeLLM2Gn5
iZfO0BZvUJLvKG+lNMX0P9KSFAMfF+eotwuMg1tkbO4x8TCIWExrU1nBjEg5eBlB
vlEMaHcv3DLrNu5CmgK6MLEpPcJWN3lzdmYFNmfeOt3tZEXjeZSYNxA3HvlapAzt
48eOxMU0V3o1RKx4GoJlDH4JuVmwBoKfZp/Q0HCCCTC5xKshzBZ+nskLPF2trxOz
NeVAiQPiqc/9FavNwJP6YA65V6hlof05TJoiJLCuL28jwLMr6tsjHxTGCEdNBrjL
qTisxyZ9x0PCZM8NWj69AbpfAtDEaGxMqfXwCSUdP3enEuMxSmJLVx+j23Zh63om
8+1h+So0FDmg80dgemXmAYEG52Z/WFQKR1w+PKDS31oW01MnRmc80BkO5pC8EDJn
JDxi06nDBCpFVYxQ6Zy9IhNYcVOaLhXo/VFQ6ixGrPP2QDz5ZWe00wO7aGZsw8CM
+iwW0ysdd2LEtLMGXFoMPdx3wHizoINuNSkudGM4UmqBDths+l2Ilv+MSUIU0Q+7
8hnXFURfSYufTcc2bsh8GefvAq/wIbdXmxXB+8o3P0jZAjkABnUyWyocC4VKNWTw
xG52714xAyWClme2nLyDOJZFu2G+PgAB+qWuW6qA4vpCsK3Q/y1tVcLNbJFPDPxO
TYuR/UGa/b2vAH432fBtlScpnDt41TrduWE9Q86XxOfF5YPnH7Rbc8kBF4sWXJTp
EwKFlyH6abavIp/NCgcyc0fHee09hiYHuy10iazTeTTDEJ/kSKjVj33SFUGs4qwx
BXmw6hatQbX4Qbq2ppf7XxEqxcEvzI5HqnP/yGGPCjpz4wg0J9ajzxj9Avsl57k8
AcIsomCFRJIBiK7WM/gwHgtzyzkp6QbiXgtKuA0IK8XREO1tI9RZ2wyPGBgCPSXZ
iY5BKclB3iScyI89UmG00autn3SQtpDFFe/9tiBT0Ifd5rJQ+y6yDrfvW4pFwDIQ
M5nK8VO2SvJXpuFnvCUmYLEpPcJWN3lzdmYFNmfeOt2U87YyK2M2C8tL3k23MXsY
n+GCfnHMhoppIuyUvSpvKL1AKAb/sm6kRwJxiaemqpCKqwFpsUyEDpBTrBC3FRK4
q71TvLXlQ1c79Q71uHjFXF6PpYp8AHm6JRSAYxWgwM6EmDU27T+vMqO1Vcgop5Bl
HA3eMwDMaTezST77aeganHfeYoLQxv5OYOku/v+VCXUMURTbnLgpQ4GpSFOIrJav
t2td8wlGjyp2uk5WYZ28EWle6qYR1gLkcF5xPaTSOlpo5TsBM9rr5wE7Rf/Ppe7u
8XpSSFeG7kZvMBakhWIZcdi+yrKCD20enySxOVLx8PoCs5iuaVdK+WKLmwgbfiIT
aUvKEZuCgEOlISZ8B7XKfr2Gv6ovoMG7O1hlk0mJ5wF0TkWxDg7vWpCDQcifvaQu
OO+2itzEAF5dod08pk+WWiJFEx5tX+MwUNq9odlsQcKgzcdJPETQZgLyqSOgaG+9
dkjai3DDOXvqxizykp76LFsz1sIkkFzSyzb5h/quWa4kBPK4DOXOFrEKP6WC+/19
KLirB/s270QAJpoKyOiMZL5Z4uBGqli7j9NZxaO//2SotWzInF4+jpuUNvKnVZ/q
uSBNRC+Wfn8DINV+6ZI50WgJI79XfN8pdgJqASCCRU4LTjfRYV1g/VrHRe/sE4Om
qLdbWUn2xOAnE+9d6gpbEjjAqIvLxj1B1L576bBXrs6ZeYhU37PdmhljWu2xmdLJ
N7r/0NjSwxEleHhQEuwUX92g/LAeQozRqQQ0qXSclMlCSA+A0OcCWeGICa8EyFGW
K9tqX+d6+Os+qqaT7ifXWp+ZQT9hJY9qZczezS98HpwNA9NnJPXs774PZGNjd1vq
rNh4BU1gUept2Qkx1IRy7y2yqQgJf+ORoi//qNshKqQs5fPgoCthc7AOnw43Zic9
pi4j1mJXZWsmRBMfTzi/kWzZs6YscmHGNfAh75FSMuyzwIW3e0B+bFKzOB2wbiHk
Mp6pWmv0t7aS8SfacGUYFKxpm1QedsKTAdfn8tmeD+7TcL2Z6sC0zrWr+du5HRPq
/YuFTlrLZ4h9Peij/evrC5jx/RFpOjtxYVBHFQ5D9OkfxH/CS+je41pnApv4r2Ld
HDd8gbV6U/yUpvGoAAySrc0Rqu+76DRwXg4CKvh1GDuRgaakPO+RlqXRjkccQOI/
6iZPB91XnRBuOLUtTQuwxEYr0OMMgSzqcgqe9Rw2AKQDOMyIWtnNk1zJyS/aUDlf
V+bHcnTcpywtqOw74WEdrQAGXg2fFGSrkYbWy4NzXCiKqAwnht9++enEdOEknxY8
xGZabjy0QisEXFJZavQ00cWuTNRFMAbLJ2/JJv9hFecoDe/O925cYJMvL0PwS1Uw
ponAv88QjqFHKaLTENmLBTh4wFds5Wps0NKQkjq8xLbMGeUaog4zyvJk0ubCe1Bj
l9wYwkw1p/5LPRry45OcK5T3FNW5LDpr40cLEHyJZWMDj8WHlgSgUhq1w4Lihau5
onQiZAVsvxBwUzbrJX2PS7gWeCgoimib8fa7fCe4EeHxl3AQSXAHeQr31Qf7NInB
gakie9PtUzaLMUWA3UFEYQkdyWgwWOsvy7uDB1rd++cM0O6g72YPDfyFxXZKF57n
Ks9lNczIJFdkYG6Qh2GC8qXdc6O5zkQO7x0cBpkjbACUItxPRizQUXLwNhyLRjWW
Ou4avVPD6l7LxdJvUTwVzZtsi2MYwztxco34RE4BOd/Phk5s7/HgLiPY62P9HURJ
PR84OJZ9Q/0NAnojuLCkyuCg16W51q0rwPJ9xDejwiRoHgu7akRPv2LOedT2uT5t
yjZeb2EwKN880p1oOVZY+H0qOvBpC//utwUZKivRYGAHDkrFmvXNvQVJGABcLbnY
Ig2QY7XcDhHHFlV6RBXe4Upm4cPDRuspcmAjSpVIAyhYYgWfR8f7OOPdv9Qe6HxY
dQJER7h+j3z1pxnTB4PF4uPaCYu896dYSmB1KG/mbdUHyfYvD6PoUtrqDTguy/CP
k9to/Kvh3b/r1A8MGR5vyd309ZfrRtuLMCdGtvM3AhY6M2MmVH2l7sgMi53I6BSr
wgEmjrvUY1MOWRlL3lbKSpqvqsZtUQODKx64lMu7t0B5MIggzw8tlJOAfTWm9TzN
1UMQIzk3YeV8VEvZTEnvEhK3QUZK8TVLQGuyL9FpRybfTikabbgM8+1mP/CpAonJ
t/Bc8FmaviYneuUWvieKQtojA9zVHJNVE6I3KmwZc//u2xWE09Yg8ZKok7J+K+8e
TA0LwbrHWCJ9DmfNCyw2Oyxf27nqfRHzydfNc1xvkzZyvXSllxHVkFNAQzdGsqm8
ZTcEEK1nSBmnwnFnKyy+5lZMVrUW8Nct4QDn+b7eCQe77YhsDj8GsTveM2vL2f2U
pcUzme+sxdiiMkW4+k1SJlFWFR5XNk4o/+hdXwOyAzIGxtcSlxvAYMbZBAxwmWf5
xswPQamrgGYjmNEQ4nRVzjOFdBaskCJg8D8K3sCkUOI+9OH4rhgAWzBfIietAfJD
vmE2w/1ptt3+SgqNh8b0vapF8IY/vamu1Fme7+o3oKY0tMdiPBbk1MTiEzrSP1FY
flTtngIc3jxujOuAsvEno5HJcLL2ds5hLeq6B+Gd2+rg3UiDdDmqbTWkdq6Hoy4b
XFbp2w1hJurqaf7gsuFOgwR1RU5sEdz1ar8+n676IWPTcVtUxPssW02jQohvVc4I
5hqYt4hytLN9bgsHIV9XcWdjO+OIPWwXQnegzsAUNoFNa7BZ3o8xcwBfCAtVj+R1
2hgLn6DokFVscupuyYBvpXahy7vzk5JTlmI/s11djqA3+ZAO5fPJ70sca4TAIb4N
IvdOr85ljHMbztsEg3vUIIU2skVHoI+yyX2L9fgAw7e4ok9dfqEnxX56oUI7yngd
w9ScsYwLXggP6v51ixPHbBs5ijyomBDIW2eKzTmiBxFwmScb68RWFpm+B3p2AfRk
DQU9zlnXunufDAUVzc0OkJ5RTDXOdei089L/T78og0Jkya8C4BzkB6BST2b7sC8Z
DN0VfTlUeFYTqxYrF6a9abEel8lPEjw/cdJrrEEAIUKiHDSbOCMfQ3U0MsVN1wG/
jDLcQOwMmnogO5uMvP1I4HgksJZe1UFqr27Dg/iZczwjZRad1y63RVO3y2jRVkXI
+Dp+Lz8QxrM9tg/u0NFBuk96pUcEokeFehZFVlJcEFLErlOa+IQ1cFLPWwxPmqFh
dPmXC+5fMOa25Q16CBvGAvP46LTqjvjdaAE3f1UU5uOlfuBsfNvAWFHTO0JZeUMb
0NTiztXqoKiusFSGUvRF0tp4oAdPTsdUeEkEuUzWnLcvOBwhTrIMpC4S+YdeJal1
pLv4FIu8Kq5RUx4BYM/+RDC5oTRlRxxLMZBH+K+OrC/KGWPF1EWY8guDN6dkP1re
Khblo9XfCQa5swnQ9eEP8whyYuR2LhzmcctvGk/uFZE/mlH59ZNEe2LJofrQfHe5
7plRvh+L6i4r9amboVu91W2Ixy52lb7XflRNrSutb5tOWZ82jfWxvCNOz6e5LeWz
MjXE12uNXp1SGZwUj5DY+a9Pif60M+krgVFXIxJice2n2BGBauRue8Ga/sus3wCy
BFz+XBbSfeRUc55uOblFu1mydPkMI20Ha7NLWNLB80H35WiUIrcMfTeEk7Ylzugn
IFCTH7SKQO1Legx+KACc0qQD8FgN2voF76H+WZIS/zCzoNqZfvyJGg9fcHso87x7
XJekymjf52LVtRbpqxHg65fAKqPThooYCe+dBM0Z3ZEGxzrf2YN0MSaN+K5b1a43
2ntjr2chANIyZlqZGJT58FiuCwniZfNCeIqtUjQyil2zdfkI20GH5oFMIQFlsq1X
fqYc14PjGuRDdFmvPXowJ0FaVsPQHD/O7qCQsWdnlJgKAMDjPNEInR5fIqRs+6Wy
hJ9CN8QkpKA0Sz1GA2Vbg5nBPxKa6ffeL04GNMhSd33x+CuZsNfCWHlckNkiSGTG
m+dFQm2Jk7OPAsWqHaSbzPpsb0YLSoe1SSZ7U7kvWUFPWVIQYRIr0JAY1u4bshbV
6onyQikRqDfGI3nucr2D8WOr6i5mib/VMDTSs5ZO5DOKANyCM5/PjA65JZA2w8Jp
pj86A3ElnKOBiDWBErQrBHHa4ynySbwm6vSnDdZJBxFjH6xHgsuEh/tSllHE/5Ce
7mcrabQVP5RbxExGx/z4GQ9QgNUj7g9LnSGm3GUDf6+Q1AnX6WfMHF03sh5DYg9B
dDZgwlpCHRnuwMGaja+imgf7dijFFENl5ytccIsqZOS2wHGWdwhOPLK3pyu/aoJX
U+Co+KyDd86fgTxyHhX/oVq/jINj5d8mKtWDROpgYhrNtwEzvCdBJ4Kj5/VwXVCs
b5DxPBml8X5VwASrm8PReUkGPnAADtnIDKSeI9nG57eQeNeqCRfmoIPljPWptlB7
WxeJ1SBXJHM9+12Ercc0E9G//25SSTqjFWHC9sH0Vi+oBakY0d12qmBLKX9ABaCX
dcolzPzm/KyTR3Dhc6c2dzFhbiI+aCHqU7ghyM0pKTVQIGzigzji0Q0K3iFEq3OR
/xhtmRSlkNCTSJ6A8CFBx1wOVLU9q4X/r8s53uLX99HFhbhrkTCwH5knKI1Q7Zju
WtmJcEpL+IJIJacRcCWgxXapdabLsG/txQwohuavDlo5RFhCzRlzkV83J+oJW7VH
PiwVUgVMosC8X1/73zlZKFviZyVN5k3TjjTvhBGh99R50aib3eUrid/oPchSszLI
XbHdHt31GmSF32OeJJK1pJgBgaRDiwNGk03Wd6puqz7qW1iK4ugfWwdtF50KzuP9
KasfFOxhnjW3ZBdnHXL63I4+FzT6theVN0ZXCVOh7TbNig8rA48ArOhGCfi8FC4n
RdyB6mpevEjpQxnbNG5mBAbzjp0Lde5b03ovftHXLfAy72Xqo9zl1fXVV8RLU1NM
YcU9dVkEWhcWvmrVbRlFmwjVkuEDHo91leGNg2x2x1HDtykIM7Tgf39osx561bMv
UKEi/cKI9NU/0o7JBZrkyMn/CU+eCbSQ0cDYX9/6zATFCwFtlbo7A9Uo+WZzCkYr
JDBIwQL21wnpf01TyyCX92NPl6f86KGslRxFjeN+Cm6mYMXkb/CBCwBjnmLk/WNy
tL+dIMdvRKuNw+mwgoqGtPIOZMiiAcOCnhdtzLwKbYsGm0kR6kRk901KKM2ClL69
8smjkqcFnaTP9Jn27TFm3EaflZBbKoXxeZzNSYiyB/AG8GQKIX85iehJWHQ/RK1O
k3o7brLiPMPsGzSOTxxUtePB77lAWfFJs7mhJaLybkzi/l6JlGHIsdnHHHDIpLEe
Lrx53RhbN1Q7fnQuE4yU2wnHqb1gsRgE0iV50Vwanft8TVmWjToEpUmCGi/QJXfD
GvycnIgwR0ABFN34C1MeQIEYWsXNdjb5XR3BScvNFWa1+9U/5ASfL0gcAmc3IbZh
1dQdC7gHiDwAG3yhS05e04iF7BX1k+dvjOIxFn8bmZwAxPSqsmVmN8chIiouIYq+
FbvVGadPynCW5GGiNtSpSMEUaI+NZSj0yCmKiX7rRkUZ3mM/PEInPB9gEX1H6jtd
EI2YcaPiqNu0YyBD8kOMUGR6ZvHBeX0fX58qgUVpnWQD5+WU1K5Crj5WNffgFCpC
QaeIriO8CZyPCl9kW/13CyeoSBNz8rVqczNJGakU9Jdo8JYw619DBzrQLvrK+2GK
rqkNAxgPtFlepNer8q7MYgqmkPXVeWTy8yrniszdKciTa/qe+eY46sKbk+LhnO/V
lMtq2fuInKzTaop0riDgAklolJ0AoaVY3y3rTTX6cdCXcXLIlyWqrAb8NmNkcyzW
/ZY75eI2OhigRQtdZb+6kABfh0lhSaQZxsLWl+1wMRnzugbzCG9q1IZtixNy9SgN
057TFTCv3aw2Gsr2VFO7lgKruB414LQpQeBqIZKZdZwByUhcLVgdMVzwroXqBT1z
525tQ+8kQXs8b5xJI2clRZhUJwsWiUhF/aKLPHTwVEvj6fIdUdAWEZXMAQx5ZDUV
jeFh0GLpurDnRj4C/LeU/obOheTax8ZwfpQU0LUTyVVXPH5CYeY2fO/4vgi+LVCW
n71ILu5ogMWSlUkCDolhgxeaioH/iPsoKffeUAzO2JATIOuli1y/8JSX6c21yz/1
1rlTV/XIJyhoIIrLK7TOWY/rP31GUtmHcTtUNN07w37MQyF+WM3zB4hPvqs9XFKi
CCuB/2eVZpVEaFMqxAEezpWX2MMP660Zng8FBMLsTmIYN+Qmkoz76qG6PxEn150Y
NdxGeO+nC1gMGd+MDCkNjjAKtW8Rym9VjXkmQRuJH1Umow45NPE31NT5/YT3s5i5
MLMr5z0WOp/ftExoXJvFgRT4kjyPBBSujfsughgQIwQWaZo+UrpxlT5WUkv/NkR2
More information about the Community-sigs
mailing list