Merge pull request #118 from plutec/master

Ruleset for Android Marcher malware

Merge pull request #118 from plutec/master
Ruleset for Android Marcher malware
5120293b · mmorenog · ce86162d · 1bbd2455 · 5120293b
Commit 5120293b authored Jun 06, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 61 additions and 0 deletions

Android_Marcher_2.yar Mobile_Malware/Android_Marcher_2.yar +61 -0

No files found.
--- a/Mobile_Malware/Android_Marcher_2.yar
+++ b/Mobile_Malware/Android_Marcher_2.yar
+rule marcher
+{
+	meta:
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/890"
+		description = "This rule detects is to detect a type of banking malware"
+		sample = "33b1a9e4a1591c1a39fdd5295874e365dbde9448098254a938525385498da070"
+
+	strings:
+		$a = "cmVudCYmJg=="
+		$b = "dXNzZCYmJg=="
+
+	condition:
+		all of them
+		
+}
+
+rule marcher2
+{
+	meta:
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/890"
+	strings:
+		$a = "HDNRQ2gOlm"
+		$b = "lElvyohc9Y1X+nzVUEjW8W3SbUA"
+	condition:
+		all of them
+		
+}
+
+rule marcher3
+{
+	meta:
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/890"
+		sample1 = "087710b944c09c3905a5a9c94337a75ad88706587c10c632b78fad52ec8dfcbe"
+		sample2 = "fa7a9145b8fc32e3ac16fa4a4cf681b2fa5405fc154327f879eaf71dd42595c2"
+	strings:
+		$a = "certificado # 73828394"
+		$b = "A compania TMN informa que o vosso sistema Android tem vulnerabilidade"
+		
+	condition:
+		all of them
+}
+
+rule marcher_v2
+{
+	meta:
+		description = "This rule detects a new variant of Marcher"
+		sample = "27c3b0aaa2be02b4ee2bfb5b26b2b90dbefa020b9accc360232e0288ac34767f"
+		author = "Antonio S. <asanchez@koodous.com>"
+		source = "https://analyst.koodous.com/rulesets/1301"
+	strings:
+		$a = /assets\/[a-z]{1,12}.datPK/
+		$b = "mastercard_img"
+		$c = "visa_verifed"
+
+	condition:
+		all of them
+
+}