Running a massive number of malware samples in a sandbox gives an analyst the ability to easily find suspicious network traffic between infected machines and their C2 domains. With the help of parsers and app rules, you can parse that traffic and filter it based on the different artifacts found in those sessions.
Today, a new suspicious network pattern was present in one of our reports
So far, we see two different sessions with similar and suspicious network behavior, the infected machine connects to the server using its IP address and not a hostname. The directories extracted from the HTTP sessions are very long and random looking. Also, the filenames in the sessions don’t have an extension.
Moving from the reporter module in SA to the investigator module, we can learn more about the traffic. For example, all the requests from the infected machine to the server are POST requests. In addition, the length of the directory names varies from one session to another with the minimum length being 40 characters.
Currently, VirusTotal has an average detection ratio for the infector file. Most of the AV engines detect it as a YAKES variant.
To detect this network pattern on SA, you can use the following app rule
risk.info = 'http direct to ip request' && action = 'put' && extension = '<none>' && directory length 40-u
All the IOC from those sessions were added to RSA FirstWatch feeds on Live.