Versions (5)
Version DetailsCurrent
Rev: 2 • Oct 19, 2021, 12:00 PMET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034230; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, deprecation_reason Relevance, malware_family Win32_JSWORM, confidence High, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_07, reviewed_at 2023_08_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
Oct 19, 2021, 12:00 PM
Nov 7, 2023, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 8, 2025, 9:34 PM
rules/emerging-malware.rules