ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2
Sourceet/open
Fileemerging-malware.rules
CreatedOctober 19, 2021
UpdatedApril 30, 2024
Classificationtrojan-activity
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2"; flow:established,to_server ; http.method; content:"GET"; http.user_agent; bsize:12; content:"IP retriever"; fast_pattern; http.host; content:"api.ipify.org"; endswith; http.header_names; to_lowercase; content:!"|0d 0a|accept"; content:!"|0d 0a|referer|0d 0a|"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ ; reference:md5,fbf7ba464d564dbf42699c34b239b73a ; classtype:trojan-activity; sid:2034231; rev:4; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, deprecation_reason False_Positive, malware_family Win32_JSWORM, confidence High, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_30, reviewed_at 2023_08_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
References
| url | www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ |
| md5 | fbf7ba464d564dbf42699c34b239b73a |
Metadata
attack targetClient_Endpoint
created at2021_10_19
deploymentPerimeter
deprecation reasonFalse_Positive
malware familyWin32_JSWORM
confidenceHigh
signature severityMajor
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_30
reviewed at2023_08_22
mitre tactic idTA0040
mitre tactic nameImpact
mitre technique idT1486
mitre technique nameData_Encrypted_for_Impact
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!