<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>The original .apk in this one downloaded 32 files including .elf, .jar, .zip, and even scripts, which in turn downloaded other files to the device. Eventually the device/emulator crashed. It contacted 47 unique domains/IP addresses.</p>
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<div><br>
</div>
<div>The signatures below are focused on the main actions of the original sample.</div>
<div><br>
</div>
<div><span style="font-size:9pt; font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report device info"; flow:to_server,established; content:"POST"; http_method; content:"/cget.do"; fast_pattern:only;
 http_uri; content:"uuid="; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&a_have="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; metadata:ruleset
 community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000816; rev:1;)</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user-agent Ray-Downer - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A 20|Ray-Downer|0D
 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:1000817; rev:1;)</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent download tools request"; flow:to_server,established; content:"POST"; http_method; content:"/gettools.do";
 fast_pattern:only; http_uri; content:"gcc="; http_client_body; content:"&model="; distance:0; http_client_body; content:"&apiLevel="; distance:0; http_client_body; content:"&sysver="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body;
 content:"&abi="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity;
 sid:1000818; rev:1;)</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report file to download"; flow:to_server,established; content:"POST"; http_method; content:"/msg.do"; fast_pattern:only;
 http_uri; content:"msg="; http_client_body; content:"&code="; distance:0; http_client_body; content:"&uuid="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/;
 classtype:trojan-activity; sid:1000819; rev:1;)</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-size:9pt; font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent report APK and process name"; flow:to_server,established; content:"POST"; http_method; content:"/setwatch.do";
 fast_pattern:only; http_uri; content:"uuid="; http_client_body; content:"&pkgName="; distance:0; http_client_body; content:"&processName="; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/;
 classtype:trojan-activity; sid:1000820; rev:1;)</span></div>
<br>
<div>Thank you.</div>
<div>YM</div>
</div>
</div>
</body>
</html>