[Community-sigs] signature of JS downloader

Christopher Marczewski cmarczewski at sourcefire.com
Fri Dec 16 11:22:10 EST 2016 

Jean-Baptiste,

Your signatures have been accepted for publication. Thanks again for your
submissions.

On Tue, Dec 13, 2016 at 9:40 PM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:

> Hello Jean-Baptiste,
>
> Thank you for the multiple submissions. The signatures are undergoing FP
> testing as we speak. I'll post back once it's finished.
>
> On Wed, Dec 7, 2016 at 3:07 PM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:
>
>> Hello again,
>>
>> An other one that caught 10 since yesterday night :
>>
>> jb at newaude:~$ echo "JS.WScript.shell.Downloader:7
>> :*:5b2273657475746366756c6c79656172225d28223230303322293b696
>> 62028*2e67657475746366756c6c7965617228292e746f737472696e6728
>> 313029203d3d2022323030332229207b76617220" |sigtool --decode-sigs
>> VIRUS NAME: JS.WScript.shell.Downloader
>> TARGET TYPE: NORMALIZED ASCII TEXT
>> OFFSET: *
>> DECODED SIGNATURE:
>> ["setutcfullyear"]("20O3");if ({WILDCARD_ANY_STRING}.getutcfullyear().tostring(10)
>> == "2003") {var
>>
>> unencrypt with :
>>
>> openssl aes-256-ecb -a -d -salt -in JS.WScript.shell.Downloader.aes -out
>> JS.WScript.shell.Downloader.eml
>>
>> passwd clam
>>
>> Regards,
>>
>> JB
>>
>> Le 07/12/2016 à 18:57, Christopher Marczewski a écrit :
>>
>>> Jean-Baptiste,
>>>
>>> Any chance we can get the e-mail samples, or do these messages contain
>>> sensitive information not suitable for disclosure?
>>>
>>> On Thu, Dec 1, 2016 at 10:23 AM, Christopher Marczewski <
>>> cmarczewski at sourcefire.com> wrote:
>>>
>>> Hello Jean-Baptiste,
>>>>
>>>> Thank you for your submissions. We'll be proceeding with signature
>>>> reviews
>>>> and will get back to you as soon as possible.
>>>>
>>>> On Wed, Nov 30, 2016 at 9:37 AM, Jean-Baptiste Lanel <jb at lanel.eu>
>>>> wrote:
>>>>
>>>> Hello,
>>>>>
>>>>> An other one that caught 10 emails since yesterday :
>>>>>
>>>>>   echo "JS.ActiveX.Downloader:7:*:6e657720616374697665786f626a65637
>>>>> 4282261646f64622e73747265616d22293b*6e657720616374697665786f
>>>>> 626a6563742822777363726970742e7368656c6c22293b*6e65772061637
>>>>> 4697665786f626a656374282261646f64622e73747265616d22293b" |sigtool
>>>>> --decode-sigs
>>>>> VIRUS NAME: JS.ActiveX.Downloader
>>>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>>>> OFFSET: *
>>>>> DECODED SIGNATURE:
>>>>> new activexobject("adodb.stream"){WILDCARD_ANY_STRING}new
>>>>> activexobject("wscript.shell");{WILDCARD_ANY_STRING}new
>>>>> activexobject("adodb.stream");
>>>>>
>>>>> (I'm not really confident with the naming convention)
>>>>>
>>>>> Regards,
>>>>>
>>>>> JB
>>>>>
>>>>>
>>>>> Le 2016-11-24 22:27, Jean-Baptiste Lanel a écrit :
>>>>>
>>>>> Hello sigmakers,
>>>>>>
>>>>>> In case it may help, just received 3 mails caught by this :
>>>>>>
>>>>>> jb at newaude:~$ echo
>>>>>>
>>>>>> "JS.HILLARY.Downloader:7:*:28295d2822722c752c6e2c642c6c2c6c2
>>>>>> c332c3222"
>>>>>> |sigtool --decode-sigs
>>>>>> VIRUS NAME: JS.HILLARY.Downloader
>>>>>> TARGET TYPE: NORMALIZED ASCII TEXT
>>>>>> OFFSET: *
>>>>>> DECODED SIGNATURE:
>>>>>> ()]("r,u,n,d,l,l,3,2."
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> JB
>>>>>>
>>>>>> _______________________________________________
>>>>>> Community-sigs mailing list
>>>>>> Community-sigs at lists.clamav.net
>>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>>>
>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>
>>>>>> _______________________________________________
>>>>> Community-sigs mailing list
>>>>> Community-sigs at lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>>
>>>>
>>>> --
>>>> Christopher Marczewski
>>>> Research Engineer
>>>> Talos Group
>>>> cmarczewski at sourcefire.com
>>>> Phone: 443.430.7118
>>>>
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Community-sigs mailing list
>> Community-sigs at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.430.7118 <(443)%20430-7118>
>



-- 
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118

More information about the Community-sigs mailing list