Re: base64 encoded sextorsion

2020-04-22 Thread Henrik K
On Wed, Apr 22, 2020 at 04:54:22PM -0700, John Hardin wrote: > On Wed, 22 Apr 2020, Giovanni Bechis wrote: > > >On 4/22/20 5:43 PM, Henrik K wrote: > >> > >>I've updated replace_tags with these 4-byte UTF-8 characters, whatever they > >>are, will look more indepth later.. > >> > >you have been fas

Re: base64 encoded sextorsion

2020-04-22 Thread John Hardin
On Wed, 22 Apr 2020, Giovanni Bechis wrote: On 4/22/20 5:43 PM, Henrik K wrote: I've updated replace_tags with these 4-byte UTF-8 characters, whatever they are, will look more indepth later.. you have been faster, I have the same diff on my tree and I was going to commit it :-) The italic

Re: base64 encoded sextorsion

2020-04-22 Thread RW
On Wed, 22 Apr 2020 16:11:48 +0200 Brent Clark wrote: > Good day Guys > > I would like to ask it someone could help write a rule for the > following base64 encoded sextorsion. The obfuscation is the use of unicode mathmatical sans-serif characters rather than the encoding, which is automaticall

Re: base64 encoded sextorsion

2020-04-22 Thread Giovanni Bechis
On 4/22/20 5:43 PM, Henrik K wrote: > > I've updated replace_tags with these 4-byte UTF-8 characters, whatever they > are, will look more indepth later.. > you have been faster, I have the same diff on my tree and I was going to commit it :-) Giovanni > For example replace_tag A [\xf0][\x

Re: base64 encoded sextorsion

2020-04-22 Thread Henrik K
I've updated replace_tags with these 4-byte UTF-8 characters, whatever they are, will look more indepth later.. For example replace_tag A [\xf0][\x9d][\x97][\xae] Now your example hits atleast these rules 3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin" 1.0 BITCOIN_EXTORT_02 Ex

Re: base64 encoded sextorsion

2020-04-22 Thread Brent Clark
I want to add, I tried this as well, and it *did* match. But it feels clunky. https://pastebin.com/raw/7FaqnByB Regards Brent On 2020/04/22 16:14, Brent Clark wrote: Sorry in that example I copied body. I tried rawbody and body. Regards Brent On 2020/04/22 16:11, Brent Clark wrote: Good da

Re: base64 encoded sextorsion

2020-04-22 Thread Brent Clark
Sorry in that example I copied body. I tried rawbody and body. Regards Brent On 2020/04/22 16:11, Brent Clark wrote: Good day Guys I would like to ask it someone could help write a rule for the following base64 encoded sextorsion. https://pastebin.com/raw/MWYmfkuh I tried using rawbody. Bu

base64 encoded sextorsion

2020-04-22 Thread Brent Clark
Good day Guys I would like to ask it someone could help write a rule for the following base64 encoded sextorsion. https://pastebin.com/raw/MWYmfkuh I tried using rawbody. But it was proving to not work and be the right solution. Below is it me testing. i.e. body BASESEX /8J2XrvCdmIHwnZ