Android Backdoor rule

1e12018c · Antonio S · a461e725 · 1e12018c
Commit 1e12018c authored Aug 29, 2016 by Antonio S
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 0 deletions

Android_Backdoor.yar Mobile_Malware/Android_Backdoor.yar +28 -0

No files found.
--- a/Mobile_Malware/Android_Backdoor.yar
+++ b/Mobile_Malware/Android_Backdoor.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 
+    open to any user or organization, as long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+
+rule backdoor: dropper
+{
+	meta:
+		author = "Antonio Sanchez <asanchez@koodous.com>"
+		description = "This rule detects fake samples with a backdoor/dropper"
+		sample = "0c3bc51952c71e5bb05c35346005da3baa098faf3911b9b45c3487844de9f539"
+		source = "https://koodous.com/rulesets/1765"
+
+	condition:
+		androguard.url("http://sys.wksnkys7.com") 
+		or androguard.url("http://sys.hdyfhpoi.com") 
+		or androguard.url("http://sys.syllyq1n.com") 
+		or androguard.url("http://sys.aedxdrcb.com")
+		or androguard.url("http://sys.aedxdrcb.com")
+}
\ No newline at end of file