Skip to content

R
rules
Commit fd426fd8 by mmorenog Committed by GitHub
Options

Update Android_HackintTeam_Implant.yar

parent 58ef4b33
Showing with 3 additions and 3 deletions
Mobile_Malware/Android_HackintTeam_Implant.yar
...@@ -7,10 +7,10 @@ rule HackingTeam_Android : Android Implant ...@@ -7,10 +7,10 @@ rule HackingTeam_Android : Android Implant
meta: meta:
description = "HackingTeam Android implant, known to detect version v4 - v7" description = "HackingTeam Android implant, known to detect version v4 - v7"
author = "Tim 'diff' Strazzere <strazz@gmail.com>" author = "Tim 'diff' Strazzere <strazz@gmail.com>"
reference = "http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/" reference = "http://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/"
date = "2016-11-14" date = "2016-11-14"
version = "1.0" version = "1.0"
strings: strings:
$decryptor = { $decryptor = {
12 01 // const/4 v1, 0x0 12 01 // const/4 v1, 0x0
D8 00 ?? ?? // add-int/lit8 ??, ??, ?? D8 00 ?? ?? // add-int/lit8 ??, ??, ??
...@@ -48,6 +48,6 @@ rule HackingTeam_Android : Android Implant ...@@ -48,6 +48,6 @@ rule HackingTeam_Android : Android Implant
00 12 67 65 74 53 6D 73 49 6E 70 75 74 4E 75 6D 00 12 67 65 74 53 6D 73 49 6E 70 75 74 4E 75 6D
62 65 72 73 00 62 65 72 73 00
} }
condition: condition:
$decryptor and ($settings and $getSmsInputNumbers) $decryptor and ($settings and $getSmsInputNumbers)
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment