[Community-sigs] new vbs sig
Christopher Marczewski
cmarczewski at sourcefire.com
Thu Sep 28 11:30:42 EDT 2017
We did encounter a few FP's, but I have modified the signature to the
following:
Vbs.Downloader.Agent;Engine:51-255,Target:7;(0>2)&1&(2>2);736c7368617265;73706c6974{-5}7265706c616365;7368656c6c
VIRUS NAME: Vbs.Downloader.Agent
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: (0>2)&1&(2>2)
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
slshare
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
split{WILDCARD_ANY_STRING(LENGTH<=5)}replace
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
shell
The samples look like another variant of a recent wave of Locky
downloaders. The revised signature will still look for the SLShare logging,
in addition to looking for the URL split-and-replace these downloaders are
known for.
Thank you again for your contribution.
On Wed, Sep 27, 2017 at 11:54 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:
> Hello Jean-Baptiste,
>
> Thank you for your submission. We're currently in the process of testing
> the signature for FP's.
>
> On Sun, Sep 24, 2017 at 9:15 AM, Jean-Baptiste Lanel <jb at lanel.eu> wrote:
>
>> Hello,
>>
>> Just made an other vbs sig :
>>
>> JB_DWNL2_VBS:7:*:7468656e206f6c6f6767696e672e637265617465656
>> e7472792022616e20696e76616c696420736c73686172652076616c75652
>> 06f6620222026206f656e7669726f6e6d656e742e6974656d2822736c736
>> 861726522292026202220776173207370656369666965642e22
>>
>> Samples on virus total :
>>
>> https://www.virustotal.com/#/file/95060734fa1fe59c18befcd3f4
>> 13fdc336551c25ad4a1ad2ea978d5f70c66381/detection
>>
>> https://www.virustotal.com/#/file/040c424e4dc86da39a3e70f675
>> 4c136aae884684e00447272f28e28e8df97e04/detection
>>
>> https://www.virustotal.com/#/file/b723a06b37d3ef18c6b02ba907
>> fac430b5af603070ee78165c51c7b946d608fa/detection
>>
>> Regards,
>>
>> JB
>>
>>
>>
>>
>> On 23/08/2017 16:43, Christopher Marczewski wrote:
>>
>>> Jean-Baptiste,
>>>
>>> We have published your signature as Vbs.Downloader.Agent-6335783-1. It
>>> should be available within the next few daily updates.
>>>
>>> Thanks again for your contribution.
>>>
>>> On Fri, Aug 18, 2017 at 11:28 AM, Christopher Marczewski <
>>> cmarczewski at sourcefire.com> wrote:
>>>
>>> Hello Jean-Baptiste,
>>>>
>>>> Thank you for your submission. We're currently reviewing the signature &
>>>> will keep you posted.
>>>>
>>>> On Fri, Aug 18, 2017 at 8:23 AM, Jean-Baptiste Lanel <jb at lanel.eu>
>>>> wrote:
>>>>
>>>> Hello,
>>>>>
>>>>> Just made a new sig :
>>>>>
>>>>> VBS.Dwnl:7:*:6d61726b6574706c616365203d20726466676f28
>>>>>
>>>>> It seems rather odd but so far catched a lot (see samples, for
>>>>> decrypting
>>>>> with openssl : openssl enc -d -aes256 -in sample.tar.gz.enc -out
>>>>> sample.tar.gz)
>>>>>
>>>>> Regards,
>>>>>
>>>>> JB
>>>>> _______________________________________________
>>>>> Community-sigs mailing list
>>>>> Community-sigs at lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>>
>>>>
>>>> --
>>>> --
>>>> Christopher Marczewski
>>>> Research Engineer
>>>> Talos Group
>>>> cmarczewski at sourcefire.com
>>>> Phone: 443.832.2975 <(443)%20832-2975>
>>>>
>>>>
>>>
>>>
>>
>
>
> --
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.832.2975 <(443)%20832-2975>
>
--
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975
More information about the Community-sigs
mailing list