Snort mailing list archives
Re: Andr.Trojan.Agent
From: Tyler Montier <tmontier () sourcefire com>
Date: Fri, 10 Feb 2017 10:06:00 -0500
Dear Yaser, Thanks for your submission. We will review and test the rules and get back to you when they're finished. Do you have any pcaps of the traffic available? Sincerely Tyler Montier Cisco Talos On Fri, Feb 10, 2017 at 4:06 AM, Y M <snort () outlook com> wrote:
Hello, The original .apk in this one downloaded 32 files including .elf, .jar, .zip, and even scripts, which in turn downloaded other files to the device. Eventually the device/emulator crashed. It contacted 47 unique domains/IP addresses. The signatures below are focused on the main actions of the original sample. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report device info"; flow:to_server,established; content:"POST"; http_method; content:"/cget.do"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&a_have="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e47694 47da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000816; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user-agent Ray-Downer - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e47694 47da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000817; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent download tools request"; flow:to_server,established; content:"POST"; http_method; content:"/gettools.do"; fast_pattern:only; http_uri; content:"gcc="; http_client_body; content:"&model="; distance:0; http_client_body; content:"&apiLevel="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&abi="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal. com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0 ff70/analysis/; classtype:trojan-activity; sid:1000818; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report file to download"; flow:to_server,established; content:"POST"; http_method; content:"/msg.do"; fast_pattern:only; http_uri; content:"msg="; http_client_body; content:"&code="; distance:0; http_client_body; content:"&uuid="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/ a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000819; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report APK and process name"; flow:to_server,established; content:"POST"; http_method; content:"/setwatch.do"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&pkgName="; distance:0; http_client_body; content:"&processName="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/ a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000820; rev:1;) Thank you. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Andr.Trojan.Agent Y M (Feb 10)
- Re: Andr.Trojan.Agent Tyler Montier (Feb 10)