rule tachi : android { meta: author = "https://twitter.com/plutec_net" source = "https://analyst.koodous.com/rulesets/1332" description = "This rule detects tachi apps (not all malware)" sample = "10acdf7db989c3acf36be814df4a95f00d370fe5b5fda142f9fd94acf46149ec" strings: $a = "svcdownload" $xml_1 = "<config>" $xml_2 = "<apptitle>" $xml_3 = "<txinicio>" $xml_4 = "<txiniciotitulo>" $xml_5 = "<txnored>" $xml_6 = "<txnoredtitulo>" $xml_7 = "<txnoredretry>" $xml_8 = "<txnoredsalir>" $xml_9 = "<laurl>" $xml_10 = "<txquieresalir>" $xml_11 = "<txquieresalirtitulo>" $xml_12 = "<txquieresalirsi>" $xml_13 = "<txquieresalirno>" $xml_14 = "<txfiltro>" $xml_15 = "<txfiltrourl>" $xml_16 = "<posicion>" condition: $a and 4 of ($xml_*) }