Re: [Emerging-Sigs] Suspicious DNS rule

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Here is a lousy theory: these appear to be the octal representation of the hexadecimal values of the two extended ascii 
characters?

CAh >  Ê  capital e with circumflex > CA (hex) = 312 (oct)
B1h >  ±  plus-or-minus sign        > B1 (hex) = 261 (oct)

Why? I have no idea :)
YM
________________________________
From: Emerging-sigs <emerging-sigs-bounces () lists emergingthreats net> on behalf of James Lay <jlay () 
slave-tothe-box net>
Sent: Tuesday, July 31, 2018 8:16 PM
To: emerging-sigs; Snort-Sigs
Subject: [Emerging-Sigs] Suspicious DNS rule


So ok....I got three samples, two agent telsa, one formbook, all exhibit the following:

[cid:15330574165b6099884fad0243806585@slave-tothe-box.net]

list of samples on any_run:

https://app.any.run/tasks/33d3e229-fba7-476b-8ec9-7464eacb1ca3
https://app.any.run/tasks/6d9371e7-249b-47d1-bbbb-cf66dd34e30b
https://app.any.run/tasks/065b87cb-a6d3-4dc7-a06f-a893281b4263

these request show up funky:

[cid:15330574165b6099884fb26510367314@slave-tothe-box.net]

my only guess is a specific packer is calling out as the three samples are all .NET.  Anyway sig below:

alert udp $HOME_NET any -> any 53 (msg:"Suspicious DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00 02 ca b1 03 6f 
72 67 00|"; fast_pattern:only; classtype:trojan-activity; sid:XXXXXX; rev:1; metadata:created_at 2018_07_31;)

if someone has any more insight I'd love to know what this really is.  Thank you.

James

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!