Potential SNAKE Malware Installation CLI Arguments Indicator

calendar Mar 1, 2024 · attack.execution detection.emerging_threats  ·
Share on: linkedin copy

Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report

Sigma rule (View on GitHub)

 1title: Potential SNAKE Malware Installation CLI Arguments Indicator
 2id: 02cbc035-b390-49fe-a9ff-3bb402c826db
 3status: test
 4description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/04
 9tags:
10    - attack.execution
11    - detection.emerging_threats
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        # This CLI regex is based on the following description from the report:
18        #   The jpsetup.exe installer requires two arguments to be passed via the command line for execution
19        #   The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256
20        #   The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters)
21        CommandLine|re: '\s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}'
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

  • ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...


    Read More

Related rules

to-top