Rule Category

MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.

Alert Message

MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt

Rule Explanation

This event is generated when client system tries to download GhostPuppet malicious document Impact: A Network Trojan was detected Details: Malicious HWP IOCs: 089d368dfb814274883927ceca1335e1672766af8160ac5d493ff57e4617a892 089d368dfb814274883927ceca1335e1672766af8160ac5d493ff57e4617a892 349b8afa3a1daf495e7178b563a7de3f58d6c63140d042cc08be5770d03bd8f5 349b8afa3a1daf495e7178b563a7de3f58d6c63140d042cc08be5770d03bd8f5 3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e 3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e 485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f 485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f 4a17324aa55f5353ecd38f34e06e246e971e36ec1bb5180ae8218a59b035f462 4a17324aa55f5353ecd38f34e06e246e971e36ec1bb5180ae8218a59b035f462 596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6 596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6 862250f9b50e46276043715ea32236bd8bb4b875213d83c14f2dcd79854847c6 862250f9b50e46276043715ea32236bd8bb4b875213d83c14f2dcd79854847c6 8e0f0cc87b9d80e5928cf19fe273cde28978ec31b3115f978fa8de2723d470a5 8e0f0cc87b9d80e5928cf19fe273cde28978ec31b3115f978fa8de2723d470a5 9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c 9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c a299bdc3fc07def4b0d5a409484f4717884a78749796960a560a9b30fab2435b a299bdc3fc07def4b0d5a409484f4717884a78749796960a560a9b30fab2435b a9d579819370e860ece7890c3490cde17a41f56a63452066c67799191b1ac0ef a9d579819370e860ece7890c3490cde17a41f56a63452066c67799191b1ac0ef bf1eb0d3601ec35e4419d43d1610e07f0c1a7ae72e36fa8b8846166333a44f2f bf1eb0d3601ec35e4419d43d1610e07f0c1a7ae72e36fa8b8846166333a44f2f c68e996fb9021bb7c316d9d5f9dad9251ec91989152f8908a5ccf1f7e2f581df c68e996fb9021bb7c316d9d5f9dad9251ec91989152f8908a5ccf1f7e2f581df cfaff9d2130794ca4d548615bcc19abfaae388f042f306b898399594833c41ee cfaff9d2130794ca4d548615bcc19abfaae388f042f306b898399594833c41ee d30cb50641ff79fa059fbf1950047d2e34eb3e9ee7b5ff5cced0912160d3edb9 d30cb50641ff79fa059fbf1950047d2e34eb3e9ee7b5ff5cced0912160d3edb9 e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431 e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431 Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

CVE Additional Information