hi Team Emerging Threats
can please advise where can i get more information about below rule name
ET MALWARE Socks5Systemz CnC Checkin M2
need a site that can give me a deep dive into malware analysis and understanding its impact
via real world scenarios hit by such a malware focusing on volume and financial losses from such a
malware
Thanks
Hi @prime69 - This signature is based off of the content in This blog by Bitsight. I noticed a typo in the the signature references so I’ll get that fixed up in today’s release. Let me know if you have any other questions and I’m happy to help!
Thanks,
Isaac
Thank you for your assistance ishaughnessy,
can please advise if there is any url link where i can learn to contribute to the community via understanding and eventually writing malware signatures…based on packet capture…
just would like to contribute to our community defend against Blackhat…
i understand i am just starting to crawl but thats the best place to learn from the bottom up…
Thanks
Hi, for my part I can offer a little research on Twitter (x) and a couple of rules of your choice
More samples by tag Malware Reports - Online Malware Analysis Sandbox
During the research, a couple of encryption keys were discovered, but never a different user agent
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection";flow: established, to_server; http.method; content: "GET"; http.uri; content: ".php?c="; pcre: "/^((?:[a-f0-9]){2})+$/R"; http.user_agent; content: "Mozilla/5.0 (Windows|3b| U|3b| MSIE 9.0|3b| Windows NT 9.0|3b| en-US)"; bsize: 57; http.header_names; content: "|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; reference: md5,545519a4f5847b77094b2a6baa5d1cfe; reference: url,app.any.run/tasks/351c3d1b-05d6-483e-9480-b4db71a8a9ff; classtype: command-and-control; sid: 1; rev: 1;)
When a client appears, the backconnection rule is triggered
alert tcp any any -> any 1074 (msg: "ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client Traffic";flow: established, to_server; stream_size: server, =, 1;stream_size: client, =, 12; dsize: 10; content: "|C0 A8 64|";depth: 3; classtype: command-and-control; reference: md5,1eef6f11bc52c68880c0fa35f8318923; reference: url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; sid: 2; rev: 1;)
Welcome to community prime69
Best regards, Jane
@prime69 - Our community page is the best spot to reach out to us, if you are stuck or confused on a topic create a post and we are always happy to take a look! Even simple questions will be helpful to others in the community so don’t hold back!
If you are interested in learning suricata here is a link to a presentation I gave at BSidesSLC which may be helpful.
@Jane0sint is one of our top community contributors and I definitely recommend following her posts here and the research she shares on Twitter.
heya @Jane0sint
I got one of these out today.
2049397 - ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client Traffic
I found a few FP’s on [ANY.RUN] Socks5Systemz HTTP C2 Connection for bot traffic going to Google Analytics so I’m going to add a negation and try again tomorrow.
google-analytics.bit/single.php?c=55edc18a576296d983604c6c2c792a748ce3f5dd3f6ab361c8106646ba3fb836c10b4e79e3b794c7661bf9463f
Cheers,
Isaac
@Jane0sint - After trying some negations Socks5Systemz HTTP C2 Connection still did not perform well and was not part of today’s release.
Thanks,
Isaac
Hi, sorry for the long response, I was working on a brushaloader.
Everything got a little worse with the appearance of this sample Analysis New Text Document.bin.zip (MD5: 191C2DAF0AE932762F01CD6B5423A1FB) Malicious activity - Interactive analysis ANY.RUN
It has the following URI:
/click/?counter=de7ef49b2c006853fb38357b3206f31360ff1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f508166429e289d5886 9b3a226d55f676647fc3813369d184da325a538cd207fc12cc
Here’s my proposal for a rule,
http.uri;
content: "?"; depth: 20;
pcre: "/^[^=]+=((?:[a-f0-9]){2}){78,94}$/";
The amount of content has been reduced, I’m sorry (︶︹︶)
Is it just me or is there a dga here? All domains 7 characters
I’d like to use this too:
http.host;
content: "."; offset: 7; depth:1;
pcre: "/^[a-z]{7}\.[a-z]{2,5}$/";
And that’s the rule:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection";
flow: established, to_server; http.method;
content: "GET"; http.uri;
content: "?"; depth: 20;
pcre: "/^[^=]+=((?:[a-f0-9]){2}){78,94}$/"; http.user_agent;
content: "Mozilla/5.0 (Windows|3b| U|3b| MSIE 9.0|3b| Windows NT 9.0|3b| en-US)"; bsize: 57; http.header_names;
content: "|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|";
http.host; content: "."; offset: 7; depth:1; pcre: "/^[a-z]{7}\.[a-z]{2,5}$/";
reference: md5,7308178fbfc957dec7a304ad131e0b5b;
reference: url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; classtype: command-and-control;
sid: 1; rev: 1;)
And add another rule for a new key thanks to @naumovax
https://x.com/naumovax/status/1727714533546848394?s=20
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection";
flow: established, to_server; http.method;
content: "GET"; http.uri;
content: "=de7ef49b2c006853fb";
reference: md5,7308178fbfc957dec7a304ad131e0b5b;
reference: url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; classtype: command-and-control;
sid: 1; rev: 1;)
Jane ゚𐦍༘⋆
@Jane0sint - Nice, these performed well in QA and were included in today’s release! 
2049467 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1
2049468 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2
Thanks Team for the assist
lots to learn and grow…
Appreciate all your experience and insight
Regards
Hi, can I please add a link to this discussion to the rules 2049467 2049468?
reference:url,community.emergingthreats.net/t/et-malware-socks5systemz/;
The updated signatures will go out today, thanks Jane!
JT
Hi, I propose to change the existing rule (2049467) and add another one.
Changes to 2049467:
pcre:“/^(?:[^=]+=((?:[a-f0-9]){2}){78,104})$/”;
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"?"; depth:20; pcre:"/^(?:[^=]+=((?:[a-f0-9]){2}){78,104})$/"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|3b 20|U|3b 20|MSIE|20|9|2e|0|3b 20|Windows|20|NT|20|9|2e|0|3b 20|en|2d|US|29|"; bsize:57; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; bsize:22; http.host; content:"."; offset:7; depth:1; pcre:"/^(?:[a-z]{7})\.(?:[a-z]{2,5})$/"; reference:md5,7308178fbfc957dec7a304ad131e0b5b; reference:url,app.any.run/tasks/685b5fb6-1b1a-4f4d-92f5-8a9593275a92; reference:url,community.emergingthreats.net/t/et-malware-socks5systemz/1155/; classtype:trojan-activity; sid:2049467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_12_04, deployment Perimeter, former_category MALWARE, malware_family Socks5Systemz, confidence High, signature_severity Critical, updated_at 2023_12_28; target:src_ip;)
Sample with traffic: Automated Malware Analysis Report for adobe.exe - Generated by Joe Sandbox
New rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=67e28dd86d55f12847"; fast_pattern; reference:md5,7308178fbfc957dec7a304ad131e0b5b; reference:url,www.joesandbox.com/analysis/1374165/0/html; reference:url,community.emergingthreats.net/t/et-malware-socks5systemz/1155/; classtype:trojan-activity; sid:111; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_13, deployment Perimeter, former_category MALWARE, malware_family Socks5Systemz, confidence High, signature_severity Critical, updated_at 2024_01_13; target:src_ip;)
Jane 
Hey @Jane0sint - I’ve got this update + new sig in for today’s release, I’ll get you the new sid once I have it!
@Jane0sint - Here’s the sid/name in today’s release
2050112 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2