[Snort-sigs] Andr.Trojan.Agent

Y M snort at ...3751...
Fri Feb 10 04:06:05 EST 2017


Hello,


The original .apk in this one downloaded 32 files including .elf, .jar, .zip, and even scripts, which in turn downloaded other files to the device. Eventually the device/emulator crashed. It contacted 47 unique domains/IP addresses.

The signatures below are focused on the main actions of the original sample.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report device info"; flow:to_server,established; content:"POST"; http_method; content:"/cget.do"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&a_have="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000816; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user-agent Ray-Downer - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000817; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent download tools request"; flow:to_server,established; content:"POST"; http_method; content:"/gettools.do"; fast_pattern:only; http_uri; content:"gcc="; http_client_body; content:"&model="; distance:0; http_client_body; content:"&apiLevel="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&abi="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000818; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report file to download"; flow:to_server,established; content:"POST"; http_method; content:"/msg.do"; fast_pattern:only; http_uri; content:"msg="; http_client_body; content:"&code="; distance:0; http_client_body; content:"&uuid="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000819; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report APK and process name"; flow:to_server,established; content:"POST"; http_method; content:"/setwatch.do"; fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&pkgName="; distance:0; http_client_body; content:"&processName="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000820; rev:1;)

Thank you.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/478409a2/attachment.html>


More information about the Snort-sigs mailing list