Andr.Trojan.Agent

[Y M <snort () outlook com>]

Hello,


The original .apk in this one downloaded 32 files including .elf, .jar, .zip, and even scripts, which in turn 
downloaded other files to the device. Eventually the device/emulator crashed. It contacted 47 unique domains/IP 
addresses.

The signatures below are focused on the main actions of the original sample.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report device info"; 
flow:to_server,established; content:"POST"; http_method; content:"/cget.do"; fast_pattern:only; http_uri; 
content:"uuid="; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&a_have="; distance:0; 
http_client_body; content:"&mac="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; 
classtype:trojan-activity; sid:1000816; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user-agent Ray-Downer - 
Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D 0A|"; fast_pattern:only; 
http_header; metadata:ruleset community, service http; 
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; 
classtype:trojan-activity; sid:1000817; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent download tools request"; 
flow:to_server,established; content:"POST"; http_method; content:"/gettools.do"; fast_pattern:only; http_uri; 
content:"gcc="; http_client_body; content:"&model="; distance:0; http_client_body; content:"&apiLevel="; distance:0; 
http_client_body; content:"&sysver="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; 
content:"&abi="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; 
classtype:trojan-activity; sid:1000818; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report file to download"; 
flow:to_server,established; content:"POST"; http_method; content:"/msg.do"; fast_pattern:only; http_uri; 
content:"msg="; http_client_body; content:"&code="; distance:0; http_client_body; content:"&uuid="; metadata:ruleset 
community, service http; 
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; 
classtype:trojan-activity; sid:1000819; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report APK and process name"; 
flow:to_server,established; content:"POST"; http_method; content:"/setwatch.do"; fast_pattern:only; http_uri; 
content:"uuid="; http_client_body; content:"&pkgName="; distance:0; http_client_body; content:"&processName="; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; 
classtype:trojan-activity; sid:1000820; rev:1;)

Thank you.
YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!