hi team Emerging Threats…
hope this email finds you well…
appreciate if can advise the URL on which this rule is built on as i need to understand its CVSS and gain more insight into this signature…
also can if possible can a URL be uploaded with all new malware signature on the site that the analysis is done off so we can verify and built insight of the work already done…
as a simple good search on the signature of ET MALWARE Rule ID 2022986 is very vague and provides little insight into packets whether it s a false positive or a geniue impact…
Thanks for all the hard work team Emerging threats…
Appreciate the effort and hardwork done so far…
God Bless
Regards
1 Like
Hi,
sid 2022986 as the name implies is a generic signature that will fire when a request (GET, POST, HEAD, etc) is seen to a dotted quad IP address. A number of different malware families over the years have used gate[.]php as their endpoint. Some reference hashes (I will get some of these added to the signature for tomorrows release) that are available on VirusTotal that have pcap files available:
de4961b8c4fb7e3bd5ea9f1df2b5d182 (exe) - ransomware
0680ff9251b686e9025b36c577163f01 (exe) - pony downloader
are two of the most common we see fire this signature among others. A helpful search using VirusTotal for ET Open signatures:
https://www.virustotal.com/gui/search/crowdsourced_ids%253A2022986/files
(this specific search is looking for samples that fire sid 2022986 but any ET Open sid can be used)
JT
2 Likes