SNAKE Malware Installer Name Indicators

Detects filename indicators associated with the SNAKE malware as reported by CISA in their report

Sigma rule (View on GitHub)

 1title: SNAKE Malware Installer Name Indicators
 2id: 99eccc2b-7182-442f-8806-b76cc36d866b
 3status: test
 4description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-10
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    category: file_event
14    product: windows
15detection:
16    selection:
17        TargetFilename|endswith:
18            - '\jpsetup.exe'
19            - '\jpinst.exe'
20    condition: selection
21falsepositives:
22    - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis.
23level: low

References

Related rules

to-top