Create Android_Libyan_Scorpions.yar

Mobile_Malware/Android_Libyan_Scorpions.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/.
+
+	You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
+*/
+
+import "androguard"
+import "cuckoo"
+
+
+rule libyan_scorpions
+{
+	meta:
+		source = "https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf"
+		sample = "9d8e5ccd4cf543b4b41e4c6a1caae1409076a26ee74c61c148dffd3ce87d7787"
+
+	strings:
+		$ip_1 = "41.208.110.46" ascii wide
+		$domain_1 = "winmeif.myq-see.com" ascii wide nocase
+		$domain_2 = "wininit.myq-see.com" ascii wide nocase
+		$domain_3 = "samsung.ddns.me" ascii wide nocase
+		$domain_4 = "collge.myq-see.com" ascii wide nocase
+		$domain_5 = "sara2011.no-ip.biz" ascii wide nocase
+
+	condition:
+		androguard.url(/41\.208\.110\.46/) or cuckoo.network.http_request(/41\.208\.110\.46/) or
+		androguard.url(/winmeif.myq-see.com/i) or cuckoo.network.dns_lookup(/winmeif.myq-see.com/i) or
+		androguard.url(/wininit.myq-see.com/i) or cuckoo.network.dns_lookup(/wininit.myq-see.com/i) or
+		androguard.url(/samsung.ddns.me/i) or cuckoo.network.dns_lookup(/samsung.ddns.me/i) or
+		androguard.url(/collge.myq-see.com/i) or cuckoo.network.dns_lookup(/collge.myq-see.com/i) or
+		androguard.url(/sara2011.no-ip.biz/i) or cuckoo.network.dns_lookup(/sara2011.no-ip.biz/i) or
+		any of ($domain_*) or any of ($ip_*) or
+		androguard.certificate.sha1("DFFDD3C42FA06BCEA9D65B8A2E980851383BD1E3")
+		
+}