alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SysJoker Retrieving CnC Information (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uc?id="; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"WinHttpClient"; bsize:13; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; http.host; content:"drive.google.com"; fast_pattern; bsize:16; reference:md5,53f1bb23f670d331c9041748e7e8e396; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034922; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_14;)