1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule android_meterpreter : android
{
meta:
author="73mp74710n"
ref = "https://github.com/zombieleet/yara-rules/blob/master/android_metasploit.yar"
comment="Metasploit Android Meterpreter Payload"
strings:
$checkPK = "META-INF/PK"
$checkHp = "[Hp^"
$checkSdeEncode = /;.Sk/
$stopEval = "eval"
$stopBase64 = "base64_decode"
condition:
any of ($check*) or any of ($stop*)
}
rule android_metasploit : android
{
meta:
author = "https://twitter.com/plutec_net"
description = "This rule detects apps made with metasploit framework"
sample = "cb9a217032620c63b85a58dde0f9493f69e4bda1e12b180047407c15ee491b41"
strings:
$a = "*Lcom/metasploit/stage/PayloadTrustManager;"
$b = "(com.metasploit.stage.PayloadTrustManager"
$c = "Lcom/metasploit/stage/Payload$1;"
$d = "Lcom/metasploit/stage/Payload;"
condition:
all of them
}