Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"cpp-httplib"; startswith; http.request_body; content:"|7b 22|"; startswith; content:"remoteconfig"; depth:1000; fast_pattern; content:"version"; depth:1000; content:"activewindow"; depth:1000; content:"runtime"; depth:1000; content:"type"; depth:1000; content:"pool"; depth:1000; content:"port"; depth:1000; content:"algo"; depth:1000; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,cba68dc8a2c46d8b4b6cb945e095657a; reference:url,app.any.run/tasks/3cdc58f1-33aa-4898-8a0a-25c1fb2c7034; reference:url,x.com/Jane_0sint/status/1760278859960741917; reference:url,community.emergingthreats.net/t/silentcryptominer; classtype:coin-mining; sid:2051004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_02_21, deployment Perimeter, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_21;)