Create Android_pornClicker.yar

63e861c8 · mmorenog · e890f99b · 63e861c8
Commit 63e861c8 authored Jun 03, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 0 deletions

Android_pornClicker.yar Mobile_Malware/Android_pornClicker.yar +26 -0

No files found.
--- a/Mobile_Malware/Android_pornClicker.yar
+++ b/Mobile_Malware/Android_pornClicker.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+
+import "androguard"
+
+
+
+rule trojan: pornClicker 
+{
+	meta:
+		description = "Ruleset to detect android pornclicker trojan, connects to a remote host and obtains javascript and a list from urls generated, leading to porn in the end."
+		sample = "5a863fe4b141e14ba3d9d0de3a9864c1339b2358386e10ba3b4caec73b5d06ca"
+ 		reference = "https://blog.malwarebytes.org/cybercrime/2016/06/trojan-clickers-gaze-cast-upon-google-play-store/?utm_source=facebook&utm_medium=social"
+    author = "Koodous Project"
+    
+	strings:
+		$a = "SELEN3333"
+		$b = "SELEN33"
+		$c = "SELEN333"
+		$api = "http://mayis24.4tubetv.xyz/dmr/ya"
+		
+	condition:
+		($a and $b and $c and $api) or androguard.url(/mayis24\.4tubetv\.xyz/)
+}