alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content:"jndj="; fast_pattern; content:!"&ncm="; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:3; metadata:created_at 2015_11_05, malware_family JS_Nemucod_M_gen, signature_severity Major, updated_at 2020_06_09;)