Snort Suricata Rules Signatures for Racoon Stealer & Kryptik Malware

Racoon Malware Traffic Sample:

2020-05-09 02:34:46.971465 IP 192.168.86.25.56401 > 34.89.22.128.80: Flags [P.], seq 1:189, ack 1, win 16685, length 188: HTTP: POST /gate/log.php HTTP/1.1

E…+.@…~…V.”Y…Q.P9…9i%.P.A-….POST /gate/log.php HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

Content-Type: application/x-www-form-urlencoded

Content-Length: 155

Host: 34.89.22.128

 

Racoon Sample Rule:

 

alert tcp $HOME_NET any -> any 80 (msg:”Racoon Credential Stealer Malware”; content:”POST”; http_method; content:”/gate/log.php”; http_uri; tag:session,120,seconds;  sid:111; rev:1;)

Kryptik Malware Traffic Samples and Rules:

2020-05-09 02:42:22.776912 IP 192.168.86.25.56403 > 8.208.89.38.80: Flags [P.], seq 1:82, ack 1, win 16425, length 81: HTTP: GET /fR7qOGKa91MzN7Av HTTP/1.1

E..y+.@…U…V…Y&.S.P .KqG…P.@)6…GET /fR7qOGKa91MzN7Av HTTP/1.1

Connection: Keep-Alive

Host: freelinesoft.cc

Rule #1

alert tcp any any -> any any (msg:”Kryptik Malware short-packet C2″; content:”POST”; http_method; content:”/gate/log.php”; http_uri; tag:session,120,seconds; content:”!Cache-Control: no-cache”; content:!”|0d 0a|Accept”; content:!”Referer:”; content:!”User-Agent|0d 0a|”; sid:112; rev:1;)

 

2020-05-09 02:42:23.354100 IP 192.168.86.25.56405 > 8.208.89.38.80: Flags [P.], seq 1:138, ack 1, win 16425, length 137: HTTP: GET /fR7qOGKa91MzN7Av/login.php HTTP/1.1

E…+.@…U…V…Y&.U.P….y.F.P.@)|…GET /fR7qOGKa91MzN7Av/login.php HTTP/1.1

Connection: Keep-Alive

Host: freelinesoft.cc

Cookie: PHPSESSID=2vd2u9uo6s5ukc6b21k9qg7697

 

Rule #2:

alert tcp any any -> any any (msg:”Kryptik Malware short-packet C2″; content:”GET”; http_method; pcre:”/GETs/[A-Za-z]{10,20}/login.php/sHTTP/”; tag:session,120,seconds; content:”Cookie|0d 0a| PHPSESSID=”; content:!”|0d 0a|Accept”; content:!”Referer:”; content:!”User-Agent|0d 0a|”; sid:113; rev:1;)

 

 

 

Please follow and like us: