1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule Dendroid : android
{
meta:
author = "https://twitter.com/jsmesa"
reference = "https://koodous.com/"
description = "Dendroid RAT"
strings:
$s1 = "/upload-pictures.php?"
$s2 = "Opened Dialog:"
$s3 = "com/connect/MyService"
$s4 = "android/os/Binder"
$s5 = "android/app/Service"
condition:
all of them
}
rule Dendroid_2 : android
{
meta:
author = "https://twitter.com/jsmesa"
reference = "https://koodous.com/"
description = "Dendroid evidences via Droidian service"
strings:
$a = "Droidian"
$b = "DroidianService"
condition:
all of them
}
rule Dendroid_3 : android
{
meta:
author = "https://twitter.com/jsmesa"
reference = "https://koodous.com/"
description = "Dendroid evidences via ServiceReceiver"
strings:
$1 = "ServiceReceiver"
$2 = "Dendroid"
condition:
all of them
}
import "androguard"
rule Android_Dendroid
{
meta:
author = "Jacob Soo Lead Re"
date = "19-May-2016"
description = "This rule try to detect Dendroid"
source = "https://blog.lookout.com/blog/2014/03/06/dendroid/"
condition:
androguard.service(/com.connect/i) and
androguard.permission(/android.permission.RECEIVE_BOOT_COMPLETED/i)
}