Snort mailing list archives
Andr.Trojan.Agent
From: Y M <snort () outlook com>
Date: Fri, 10 Feb 2017 09:06:05 +0000
Hello, The original .apk in this one downloaded 32 files including .elf, .jar, .zip, and even scripts, which in turn downloaded other files to the device. Eventually the device/emulator crashed. It contacted 47 unique domains/IP addresses. The signatures below are focused on the main actions of the original sample. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report device info"; flow:to_server,established; content:"POST"; http_method; content:"/cget.do"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&a_have="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000816; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user-agent Ray-Downer - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000817; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent download tools request"; flow:to_server,established; content:"POST"; http_method; content:"/gettools.do"; fast_pattern:only; http_uri; content:"gcc="; http_client_body; content:"&model="; distance:0; http_client_body; content:"&apiLevel="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&abi="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000818; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report file to download"; flow:to_server,established; content:"POST"; http_method; content:"/msg.do"; fast_pattern:only; http_uri; content:"msg="; http_client_body; content:"&code="; distance:0; http_client_body; content:"&uuid="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000819; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report APK and process name"; flow:to_server,established; content:"POST"; http_method; content:"/setwatch.do"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&pkgName="; distance:0; http_client_body; content:"&processName="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000820; rev:1;) Thank you. YM
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Andr.Trojan.Agent Y M (Feb 10)
- Re: Andr.Trojan.Agent Tyler Montier (Feb 10)