alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware CnC Checkin"; http.method; content:"POST"; http.uri; content:"|2f|key|2f|"; http.host; content:"karen|2e|"; startswith; fast_pattern; http.user_agent; content:"Go|2d|http|2d|client"; http.request_body; content:"id|3d|"; startswith; content:"|2d|"; distance:8; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|26|key|3d|"; distance:12; within:5; isdataat:!513,relative; pcre:"/id\x3d[a-z0-9]{8}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{12}\x26key\x3d[a-z0-9]{512}/"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, confidence High, signature_severity Major, tag Ransomware, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_23, reviewed_at 2024_06_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)