[Community-sigs] signature of JS downloader
Christopher Marczewski
cmarczewski at sourcefire.com
Tue Dec 13 21:40:00 EST 2016
Hello Jean-Baptiste,
Thank you for the multiple submissions. The signatures are undergoing FP
testing as we speak. I'll post back once it's finished.
On Wed, Dec 7, 2016 at 3:07 PM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:
> Hello again,
>
> An other one that caught 10 since yesterday night :
>
> jb at newaude:~$ echo "JS.WScript.shell.Downloader:7
> :*:5b2273657475746366756c6c79656172225d28223230303322293b696
> 62028*2e67657475746366756c6c7965617228292e746f737472696e6728
> 313029203d3d2022323030332229207b76617220" |sigtool --decode-sigs
> VIRUS NAME: JS.WScript.shell.Downloader
> TARGET TYPE: NORMALIZED ASCII TEXT
> OFFSET: *
> DECODED SIGNATURE:
> ["setutcfullyear"]("20O3");if ({WILDCARD_ANY_STRING}.getutcfullyear().tostring(10)
> == "2003") {var
>
> unencrypt with :
>
> openssl aes-256-ecb -a -d -salt -in JS.WScript.shell.Downloader.aes -out
> JS.WScript.shell.Downloader.eml
>
> passwd clam
>
> Regards,
>
> JB
>
> Le 07/12/2016 à 18:57, Christopher Marczewski a écrit :
>
>> Jean-Baptiste,
>>
>> Any chance we can get the e-mail samples, or do these messages contain
>> sensitive information not suitable for disclosure?
>>
>> On Thu, Dec 1, 2016 at 10:23 AM, Christopher Marczewski <
>> cmarczewski at sourcefire.com> wrote:
>>
>> Hello Jean-Baptiste,
>>>
>>> Thank you for your submissions. We'll be proceeding with signature
>>> reviews
>>> and will get back to you as soon as possible.
>>>
>>> On Wed, Nov 30, 2016 at 9:37 AM, Jean-Baptiste Lanel <jb at lanel.eu>
>>> wrote:
>>>
>>> Hello,
>>>>
>>>> An other one that caught 10 emails since yesterday :
>>>>
>>>> echo "JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a65637
>>>> 4282261646f64622e73747265616d22293b*6e657720616374697665786f
>>>> 626a6563742822777363726970742e7368656c6c22293b*6e65772061637
>>>> 4697665786f626a656374282261646f64622e73747265616d22293b" |sigtool
>>>> --decode-sigs
>>>> VIRUS NAME: JS.ActiveX.Downloader
>>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>>> OFFSET: *
>>>> DECODED SIGNATURE:
>>>> new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
>>>> activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
>>>> activexobject("adodb.stream");
>>>>
>>>> (I'm not really confident with the naming convention)
>>>>
>>>> Regards,
>>>>
>>>> JB
>>>>
>>>>
>>>> Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
>>>>
>>>> Hello sigmakers,
>>>>>
>>>>> In case it may help, just received 3 mails caught by this :
>>>>>
>>>>> jb at newaude:~$ echo
>>>>>
>>>>> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2c332c3222"
>>>>> |sigtool --decode-sigs
>>>>> VIRUS NAME: JS.HILLARY.Downloader
>>>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>>>> OFFSET: *
>>>>> DECODED SIGNATURE:
>>>>> ()]("r,u,n,d,l,l,3,2."
>>>>>
>>>>> Regards,
>>>>>
>>>>> JB
>>>>>
>>>>> _______________________________________________
>>>>> Community-sigs mailing list
>>>>> Community-sigs at lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>> _______________________________________________
>>>> Community-sigs mailing list
>>>> Community-sigs at lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>>>
>>>
>>> --
>>> Christopher Marczewski
>>> Research Engineer
>>> Talos Group
>>> cmarczewski at sourcefire.com
>>> Phone: 443.430.7118
>>>
>>>
>>
>>
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118
More information about the Community-sigs
mailing list