Potential Encrypted Registry Blob Related To SNAKE Malware

calendar Aug 17, 2023 · attack.persistence detection.emerging_threats  ·
Share on: linkedin copy

Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA

Sigma rule (View on GitHub)

 1title: Potential Encrypted Registry Blob Related To SNAKE Malware
 2id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
 3status: experimental
 4description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
 5references:
 6    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/10
 9modified: 2023/08/17
10tags:
11    - attack.persistence
12    - detection.emerging_threats
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
19    filter_main_wav:
20        - TargetObject|endswith: '.AssocFile.WAV'
21        - TargetObject|contains: '.wav.'
22    condition: selection and not 1 of filter_main_*
23falsepositives:
24    - Some additional tuning might be required to tune out legitimate processes that write to this key by default
25level: medium

References

  • ÈÌ)-_0±çº~˜! Ø s(,2QPƉhÜÇÏ3¶|ˆ–}Iøç¹&·œÚÛ;†›„'ΕT H®2c•üä…Ò_åjÈhõ£WCcâ3 Lîý2OjÄp(š»AÙÞɳ¨¤ÂïíûË7>g‰²� ß&�Ã�M-pïA[~§Æ¹ÔÌ ÑùEÀ¼ *\?õEÂD„ĵNšæ°úþ,$ØkÜ…›÷ºz¾%}_ü“0['.Ý& )V:x¹´¼ª¶®aX...


    Read More

Related rules

to-top