alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2019_10_07;)

Added 2019-10-08 19:34:41 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)

Added 2017-08-07 21:18:43 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7;)

Added 2017-07-19 17:15:22 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; content:!"Referer|3a 20|"; http_header; content:"id="; http_client_body; content:"info="; fast_pattern:only; http_client_body; pcre:"/(?:^|&)id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|$)/P"; reference:md5,a85990f79268a18329f4040a2ec85591; classtype:trojan-activity; sid:2023553; rev:6;)

Added 2017-06-26 16:42:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; http_client_body; content:"info="; fast_pattern:only; http_client_body; pcre:"/(?:^|&)id=[a-f0-9]{32}(?:&|$)/P"; pcre:"/\.php$/U"; reference:md5,a85990f79268a18329f4040a2ec85591; classtype:trojan-activity; sid:2023553; rev:5;)

Added 2016-12-09 18:01:27 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&info="; fast_pattern:only; http_client_body; content:"imei"; http_client_body; pcre:"/^id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,a85990f79268a18329f4040a2ec85591; classtype:trojan-activity; sid:2023553; rev:4;)

Added 2016-11-29 17:26:34 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats