/* |
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. |
*/ |
/* |
Androguard module used in this rule file is under development by people at https://koodous.com/. |
You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara |
*/ |
import'androguard' |
rule smspay_chinnese : hejupay android |
{ |
meta: |
author = 'Fernando Denis https://twitter.com/fdrg21' |
reference = 'https://koodous.com/' |
strings: |
$a = 'MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/Jvgb0/jSRWi7i4J9IwO72KZw404kj02A97ExbUefVeE7yyWSTbKw5sYlKXCtaoQwWr19j0Y+xb6+h2BRuNx307BV/QpG6DnPg+Lx8fPPvhbhOudgKb/XuZPaz/GJbTpwzTbBmT+mI1QTRLyAKDxSjGWYvoPFVz82RxcAblV/twIDAQAB' |
$b = 'MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL8m+BvT+NJFaLuLgn0jA7vYpnDjTiSPTYD3sTFtR59V4TvLJZJNsrDmxiUpcK1qhDBavX2PRj7Fvr6HYFG43HfTsFX9CkboOc+D4vHx88++FuE652Apv9e5k9rP8YltOnDNNsGZP6YjVBNEvIAoPFKMZZi+g8VXPzZHFwBuVX+3AgMBAAECgYBLYR6uOqUApoZqjtVia5BpX0Ijej+ygyBZH1Qs3Z9E4iTz42RpkWJKCHdS6Eia2kpOlznqbbmRv4E8uT3ufCvUFexjR5ClGVKJ+XHXxqS75+KT38wGZZ1bW0pK4sT1/aGLrt5/netwuzMi/YFNfAKRPqvRXuNcxNLhMhs2efLKIQJBAPGea2UXVWd0Ti8ClA8hiWPSNCPtcp41Dh2H0YczrFmO2zafPPJih2GQY5txszwBLbjxFCY8/WhrYAqx0itMrgsCQQDKh5U1NfpRvk0Hu8iBRB/LPyGimz+WM/chFSC65SlS/cml3U7hUOj2lRGPz+bm68624H0KLviqpBJpmayvbbyFAkEA1NNFJ9uAx8rDn1b3EcjpmvqqIMdjwYVcNJjQ7/WNJ6nU3+0toxc0xrSHeIGTbhRfsNrxc6kfUV3bUDBHvwog9wJBAI+fRH1ekOwlAqVIUnDw6YcNdwHEDHysz0TDodlHp112Ieign06DPSGYJsMQURNTB92CJsnw82C3R2Nhmicxr60CQQCN466JF9GJRZipO64OYw/ElMac7vXgTeGMvYZ2/yfX5CRCLua4DygD1Ju0eMXpea9og/EtwCTV0RVpFc9SSN8V' |
condition: |
$aor$b |
} |
rule smsfraud : ganga android |
{ |
meta: |
author = 'Fernando Denis https://twitter.com/fdrg21' |
reference = 'https://koodous.com/' |
description = 'smsfraud chinese' |
sample = 'e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b' |
strings: |
$string_a_1 = 'HHHEEEEEEBBBBBB??????;;;;;;888888444444000000,''''''######OOO###' |
$string_a_2 = '2e6081a2-a063-45c7-ab90-5db596e42c7c' |
condition: |
androguard.package_name('com.yr.sx') or |
allof ($string_a_*) or |
androguard.activity(/com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity/) |
} |
rule sms_fraud : MSACM32 android |
{ |
meta: |
author = 'Fernando Denis https://twitter.com/fdrg21' |
reference = 'https://koodous.com/' |
description = 'sms-fraud examples' |
sample = '8b9cabd2dafbba57bc35a19b83bf6027d778f3b247e27262ced618e031f9ca3d c52112b45164b37feeb81e0b5c4fcbbed3cfce9a2782a2a5001fb37cfb41e993' |
strings: |
$string_a = 'MSACM32.dll' |
$string_b = 'android.provider.Telephony.SMS_RECEIVED' |
$string_c = 'MAIN_TEXT_TAG' |
condition: |
allof ($string_*) and |
androguard.permission(/android.permission.SEND_SMS/) |
} |
rule sms_fraud_gen : generic android |
{ |
meta: |
author = 'Fernando Denis https://twitter.com/fdrg21' |
reference = 'https://koodous.com/' |
description = 'This is just an example' |
thread_level = 3 |
in_the_wild = true |
strings: |
$a = '080229013346Z' |
$c = '350717013346Z0' |
$b = 'NUMBER_CHAR_EXP_SIGN' |
condition: |
$aand$band$cand |
androguard.permission(/android.permission.SEND_SMS/) |
} |
rule smsfraud_apk : android |
{ |
meta: |
author = 'https://twitter.com/plutec_net' |
reference = 'https://koodous.com/' |
description = 'This rule detects apks related with sms fraud' |
sample = '79b35a99f16de6912d6193f06361ac8bb75ea3a067f3dbc1df055418824f813c' |
condition: |
androguard.certificate.sha1('9E1B8719D80656E9EADAAB4251B2CFB4C8188835') |
} |
2 4 6 8 10 12 14 | { description='This is just an example' in_the_wild=true strings: $b={8D4DB02BC183C027996A4E59F7 F9} $aor$bor$c |