zeek-strrat-detector

https://github.com/corelight/zeek-strrat-detector
9 0 1 0 Last Push 4/24/24, 1:02 PM

A Zeek Based STRRAT Malware Detector

This is a Zeek Spicy based STRRAT malware detector.

PCAP

Example Output

% zeek -Cr strrat-4423258f-59bc-4a88-bfec-d8ac08c88538.pcap zeek-strrat-detector

% cat notice.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2024-03-07-10-42-56
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1709664364.822047	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664371.522546	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|2 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664376.710978	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664381.522421	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|2 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664386.522601	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|1 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664391.522645	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|VHJhbnNhY3Rpb24gd2l0aCBSZWZlcmVuY2U=|1.6|DE:Germany|Not Installed|Not Idle192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664396.522605	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|Not Idle192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664401.698316	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|3 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664406.522376	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|8 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664411.701275	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|13 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664416.522541	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|18 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664421.522582	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|23 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664426.522543	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|Not Idle192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664431.522610	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|2 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664436.522502	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664441.522741	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664446.522456	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664451.523442	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664456.707135	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664464.707113	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664466.522505	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664471.522655	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664476.522622	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|1 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664481.522594	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|Not Idle192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664486.522380	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|Not Idle192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664491.522465	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|1 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664496.522438	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|Not Idle	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664501.522813	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|1 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664506.522775	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|U2VsZWN0IFdpbmRvd3MgUG93ZXJTaGVsbA==|1.6|DE:Germany|Not Installed|Not Idle192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664511.522341	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|1 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664517.522529	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|3 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664521.710039	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|8 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664526.522818	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|13 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664531.522596	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|18 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664536.522366	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|23 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1709664541.522567	Cgemrk320YLbiOonOd	192.168.100.11	49227	185.255.114.40	8219	-	-	-	tcp	STRRAT::C2_Traffic_Observed	Potential STRRAT C2 between source 192.168.100.11 and dest 185.255.114.40 with is_orig T and payload in the sub field.	ping|STRRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional|32-bit|nan-av|V2luZG93cyBQb3dlclNoZWxs|1.6|DE:Germany|Not Installed|28 Sec	192.168.100.11	185.255.114.40	8219	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2024-03-07-10-42-56

Package Version :

Description :

A Zeek based STRRAT malware detector.

Script Dir :

scripts

Build Command :

mkdir -p build && cd build && SPICYZ=$(command -v spicyz || echo %(package_base)s/spicy-plugin/build/bin/spicyz) cmake .. && cmake --build .

Test Command :

cd testing && btest -c btest.cfg

Depends :

zeek >=4.0.0