Hi, having decrypted and detonated this sample that was received at the first stage of delivery,
I noticed some features of http that can be used for detection. For example, the same user agent, lifetime and what is interesting is the use of a capital letter in the content description:
I did not hardcode the port since there is also a request for 8080.
The body of the request now looks slightly different due to the use of substitution encryption and I always had 102 bytes, the first 32 of which are MD5 from system information. Previously this was an ID parameter. You can also use it at your discretion.
pcre: "/^[A-Ma-h]{32}[a-zA-Z0-9=]{6}(.)[a-zA-Z0-9=]{23}\1[a-zA-Z0-9=]{39}$/";
The proposed rule is as follows:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkGate Check-In HTTP header";
flow: established, to_server;
http.method;
content: "POST";
http.header;
content: "Keep-Alive: 300"; distance: 0;
content: "Connection: keep-alive"; distance: 0;
content: "Content-Type: Application/octet-stream"; distance: 0;
content: "Content-Length: ";
byte_test: 0, >, 40, 0, relative, string, dec;
byte_test: 0, <, 750, 0, relative, string, dec;
http.header_names;
content: "|0d0a|Host|0d 0a|Keep-Alive|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith;
http.user_agent;
content: "Mozilla/4.0 (compatible|3b| Synapse)"; bsize: 33;
reference: md5,4d26c05426247f7a4f784967c7b0faa2;
reference: url,app.any.run/tasks/fb92bcf3-3413-4bca-807a-fb002ac48b18;
classtype: command-and-control;
sid: 1; rev: 1;)
UP:
A colleague just sent me this request, it contains 46 bytes, and of course it matches only the first 32 bytes of the regular expression.
^[A-Ma-h]{32}
UPUP:
After reviewing the research, I dare to suggest much more content in the data section.
I hope that you will have more traffic to prevent unnecessary checks.
Cheers, Jane (ββ_β)
