Added androguard disclaimer to mobile malware files

8b46f9be · Yara Rules · da8975e7 · 8b46f9be · 8b46f9be · 8b46f9be
Commit 8b46f9be authored Aug 03, 2015 by Yara Rules
20 changed files
--- a/Malware_Mobile/Android_ASSDdeveloper.yar
+++ b/Malware_Mobile/Android_ASSDdeveloper.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule koodous : official

--- a/Malware_Mobile/Android_BatteryBot_ClickFraud.yar
+++ b/Malware_Mobile/Android_BatteryBot_ClickFraud.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule koodous : ClickFraud AdFraud SMS Downloader_Trojan

--- a/Malware_Mobile/Android_Drendoid_RAT.yar
+++ b/Malware_Mobile/Android_Drendoid_RAT.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
 */

 rule Dendroid
@@ -8,7 +7,7 @@ rule Dendroid
 	meta:
 	author = "https://twitter.com/jsmesa"
 	reference = "https://koodous.com/"
-      description = "Dendroid RAT"
+	description = "Dendroid RAT"
 	strings:
    	$s1 = "/upload-pictures.php?"
    	$s2 = "Opened Dialog:"
@@ -25,7 +24,7 @@ rule Dendroid_2
 	meta:
 	author = "https://twitter.com/jsmesa"
 	reference = "https://koodous.com/"
-        description = "Dendroid evidences via Droidian service"
+	description = "Dendroid evidences via Droidian service"
 	strings:
    	$a = "Droidian"
    	$b = "DroidianService"
@@ -39,7 +38,7 @@ rule Dendroid_3
 	meta:
 	author = "https://twitter.com/jsmesa"
 	reference = "https://koodous.com/"
-        description = "Dendroid evidences via ServiceReceiver"
+	description = "Dendroid evidences via ServiceReceiver"
 	strings:
    	$1 = "ServiceReceiver"
    	$2 = "Dendroid"

--- a/Malware_Mobile/Android_FakeApps.yar
+++ b/Malware_Mobile/Android_FakeApps.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule whatsapp:fake

--- a/Malware_Mobile/Android_MalwareCertificates.yar
+++ b/Malware_Mobile/Android_MalwareCertificates.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule fraudulents_2 : certificates

--- a/Malware_Mobile/Android_Malware_Ramsonware.yar
+++ b/Malware_Mobile/Android_Malware_Ramsonware.yar
@@ -2,6 +2,9 @@
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.

 */
+
+import "cuckoo"
+
 rule ransomware : svpeng
 {
 	meta:
@@ -39,7 +42,6 @@ rule Ransomware : banker
 	condition:
 		any of ($strings_*)
 }
-import "cuckoo"

 rule koler_domains
 {

--- a/Malware_Mobile/Android_Malware_Tinhvan.yar
+++ b/Malware_Mobile/Android_Malware_Tinhvan.yar
@@ -3,8 +3,16 @@

 */

-import "androguard"
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.
+
+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 

+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
+*/
+
+import "androguard"

 rule tinhvan
 {

--- a/Malware_Mobile/Android_VirusPolicia.yar
+++ b/Malware_Mobile/Android_VirusPolicia.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule BaDoink : official

--- a/Malware_Mobile/Android_adware.yar
+++ b/Malware_Mobile/Android_adware.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
 */

 rule adware : ads

--- a/Malware_Mobile/Android_malware_Advertising.yar
+++ b/Malware_Mobile/Android_malware_Advertising.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule leadbolt : advertising

--- a/Malware_Mobile/Android_malware_ChinesePorn.yar
+++ b/Malware_Mobile/Android_malware_ChinesePorn.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.
+
+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 

+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule sensual_woman: chinese
@@ -19,8 +28,6 @@ rule sensual_woman: chinese
 		or androguard.package_name(/com.video.uiA/i)
 }

-import "androguard"
-
 rule chinese2 : sms_sender
 {
  meta:
@@ -35,7 +42,6 @@ rule chinese2 : sms_sender
 		androguard.package_name(/kr.mlffstrvwb.mu/)
 }

-import "androguard"
 rule chinese_porn : SMSSend
 {
  meta:
@@ -46,7 +52,6 @@ rule chinese_porn : SMSSend
 		androguard.package_name("com.shenqi.video.nfkw.neim")
 }

-import "androguard"
 rule chineseporn4 : SMSSend
 {
  meta:
@@ -57,8 +62,6 @@ rule chineseporn4 : SMSSend
 		androguard.package_name("org.mygson.videoa.zw")
 }

-import "androguard"
-
 rule chineseporn5 : SMSSend
 {
  meta:
@@ -72,5 +75,4 @@ rule chineseporn5 : SMSSend
 		androguard.package_name("com.android.sxye.wwwl") or
 		androguard.certificate.issuer(/llfovtfttfldddcffffhhh/)
 		
-}
-
+}
\ No newline at end of file
--- a/Malware_Mobile/Android_malware_Dropper.yar
+++ b/Malware_Mobile/Android_malware_Dropper.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
    long as you use it under this license.
-
 */

 rule dropper:realshell {

--- a/Malware_Mobile/Android_malware_Fake_Facebook.yar
+++ b/Malware_Mobile/Android_malware_Fake_Facebook.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule facebook : fakebook

--- a/Malware_Mobile/Android_malware_Fake_Minecraft.yar
+++ b/Malware_Mobile/Android_malware_Fake_Minecraft.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
 import "androguard"

 rule minecraft

--- a/Malware_Mobile/Android_malware_Fake_MosKow.yar
+++ b/Malware_Mobile/Android_malware_Fake_MosKow.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
 */



--- a/Malware_Mobile/Android_malware_Fake_market.yar
+++ b/Malware_Mobile/Android_malware_Fake_market.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.
+
+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 

+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */

 import "androguard"

--- a/Malware_Mobile/Android_malware_HackingTeam.yar
+++ b/Malware_Mobile/Android_malware_HackingTeam.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.
+
+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 

+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */

 import "androguard"

-
 rule hacking_team : stcert
 {
 	meta:
@@ -44,6 +51,4 @@ rule hacking_team : stcert
 		//97257C6D8F6DA60EA27D2388D9AE252657FF3304 this certification could be stolen
 		//03EA873D5D13707B0C278A0055E452416054E27B this certification could be stolen
 		//B8D5E3F0BCAD2EB03BB34AEE2B3F63FC5162C56B this certification could be stolen
-
-		
 }
--- a/Malware_Mobile/Android_malware_SMSsender.yar
+++ b/Malware_Mobile/Android_malware_SMSsender.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
+import "androguard"
+
 rule smspay_chinnese : hejupay
 {
    meta:
@@ -17,7 +28,6 @@ rule smspay_chinnese : hejupay
 		$a or $b
 }

-import "androguard"

 rule smsfraud : ganga
 {
@@ -39,7 +49,6 @@ rule smsfraud : ganga
 		
 }

-import "androguard"

 rule sms_fraud : MSACM32
 {
@@ -79,9 +88,6 @@ rule sms_fraud_gen : generic
 		androguard.permission(/android.permission.SEND_SMS/)
 }

-import "androguard"
-
-
 rule smsfraud
 {
 	meta:

--- a/Malware_Mobile/Android_malware_banker.yar
+++ b/Malware_Mobile/Android_malware_banker.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+	Androguard module used in this rule file is under development by people at https://koodous.com/. Unfortunately it isn't published yet. 
+	We will update this rule file and our website once the module is published.

+	Androguard module is based on androguard tool available @ https://github.com/androguard/androguard. 
+
+	https://koodous.com/ is a very nice android malware analysis platform you can check out if you want to analyze your APK.
 */
+
+import "androguard"
+
 rule Android_Malware : iBanking
 {
 	meta:
@@ -22,8 +33,6 @@ rule Android_Malware : iBanking
 		($pk at 0 and 2 of ($file*) and ($string1 or $string2))
 }

-import "androguard"
-
 rule Installer: banker
 {
 	meta:
@@ -33,5 +42,4 @@ rule Installer: banker

 	condition:
 		androguard.package_name("Jk7H.PwcD")
-}
-
+}
\ No newline at end of file
--- a/Malware_Mobile/Android_malware_xbot007.yar
+++ b/Malware_Mobile/Android_malware_xbot007.yar
 /*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
-
 */
+
+
 rule xbot007
 {
 	meta: