[Snort-sigs] Andr.Trojan.Agent

Tyler Montier tmontier at ...435...
Fri Feb 10 10:06:00 EST 2017


Dear Yaser,

Thanks for your submission. We will review and test the rules and get back
to you when they're finished.

Do you have any pcaps of the traffic available?

Sincerely

Tyler Montier
Cisco Talos


On Fri, Feb 10, 2017 at 4:06 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The original .apk in this one downloaded 32 files including .elf, .jar,
> .zip, and even scripts, which in turn downloaded other files to the device.
> Eventually the device/emulator crashed. It contacted 47 unique domains/IP
> addresses.
>
> The signatures below are focused on the main actions of the original
> sample.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Trojan.Agent report device info"; flow:to_server,established;
> content:"POST"; http_method; content:"/cget.do"; fast_pattern:only;
> http_uri; content:"uuid="; http_client_body; content:"&ver="; distance:0;
> http_client_body; content:"&a_have="; distance:0; http_client_body;
> content:"&mac="; distance:0; http_client_body; content:"&sysver=";
> distance:0; http_client_body; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e47694
> 47da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity;
> sid:1000816; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> User-Agent known malicious user-agent Ray-Downer - Andr.Trojan.Agent";
> flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D 0A|";
> fast_pattern:only; http_header; metadata:ruleset community, service http;
> reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e47694
> 47da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity;
> sid:1000817; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Trojan.Agent download tools request"; flow:to_server,established;
> content:"POST"; http_method; content:"/gettools.do"; fast_pattern:only;
> http_uri; content:"gcc="; http_client_body; content:"&model="; distance:0;
> http_client_body; content:"&apiLevel="; distance:0; http_client_body;
> content:"&sysver="; distance:0; http_client_body; content:"&imei=";
> distance:0; http_client_body; content:"&abi="; distance:0;
> http_client_body; content:"&mac="; distance:0; http_client_body;
> metadata:ruleset community, service http; reference:url,www.virustotal.
> com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0
> ff70/analysis/; classtype:trojan-activity; sid:1000818; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Trojan.Agent report file to download"; flow:to_server,established;
> content:"POST"; http_method; content:"/msg.do"; fast_pattern:only;
> http_uri; content:"msg="; http_client_body; content:"&code="; distance:0;
> http_client_body; content:"&uuid="; metadata:ruleset community, service
> http; reference:url,www.virustotal.com/en/file/
> a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/;
> classtype:trojan-activity; sid:1000819; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Trojan.Agent report APK and process name"; flow:to_server,established;
> content:"POST"; http_method; content:"/setwatch.do"; fast_pattern:only;
> http_uri; content:"uuid="; http_client_body; content:"&pkgName=";
> distance:0; http_client_body; content:"&processName="; metadata:ruleset
> community, service http; reference:url,www.virustotal.com/en/file/
> a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/;
> classtype:trojan-activity; sid:1000820; rev:1;)
>
> Thank you.
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/b44e77e7/attachment.html>


More information about the Snort-sigs mailing list