Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Andr.Trojan.Agent

From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 10 Feb 2017 10:06:00 -0500
Dear Yaser,

Thanks for your submission. We will review and test the rules and get back
to you when they're finished.

Do you have any pcaps of the traffic available?

Sincerely

Tyler Montier
Cisco Talos


On Fri, Feb 10, 2017 at 4:06 AM, Y M <snort () outlook com> wrote:


Hello,


The original .apk in this one downloaded 32 files including .elf, .jar,
.zip, and even scripts, which in turn downloaded other files to the device.
Eventually the device/emulator crashed. It contacted 47 unique domains/IP
addresses.

The signatures below are focused on the main actions of the original
sample.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Agent report device info"; flow:to_server,established;
content:"POST"; http_method; content:"/cget.do"; fast_pattern:only;
http_uri; content:"uuid="; http_client_body; content:"&ver="; distance:0;
http_client_body; content:"&a_have="; distance:0; http_client_body;
content:"&mac="; distance:0; http_client_body; content:"&sysver=";
distance:0; http_client_body; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e47694
47da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity;
sid:1000816; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user-agent Ray-Downer - Andr.Trojan.Agent";
flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D 0A|";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e47694
47da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity;
sid:1000817; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Agent download tools request"; flow:to_server,established;
content:"POST"; http_method; content:"/gettools.do"; fast_pattern:only;
http_uri; content:"gcc="; http_client_body; content:"&model="; distance:0;
http_client_body; content:"&apiLevel="; distance:0; http_client_body;
content:"&sysver="; distance:0; http_client_body; content:"&imei=";
distance:0; http_client_body; content:"&abi="; distance:0;
http_client_body; content:"&mac="; distance:0; http_client_body;
metadata:ruleset community, service http; reference:url,www.virustotal.
com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0
ff70/analysis/; classtype:trojan-activity; sid:1000818; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Agent report file to download"; flow:to_server,established;
content:"POST"; http_method; content:"/msg.do"; fast_pattern:only;
http_uri; content:"msg="; http_client_body; content:"&code="; distance:0;
http_client_body; content:"&uuid="; metadata:ruleset community, service
http; reference:url,www.virustotal.com/en/file/
a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/;
classtype:trojan-activity; sid:1000819; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Agent report APK and process name"; flow:to_server,established;
content:"POST"; http_method; content:"/setwatch.do"; fast_pattern:only;
http_uri; content:"uuid="; http_client_body; content:"&pkgName=";
distance:0; http_client_body; content:"&processName="; metadata:ruleset
community, service http; reference:url,www.virustotal.com/en/file/
a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/;
classtype:trojan-activity; sid:1000820; rev:1;)

Thank you.
YM

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: