Sneed-Reactivity/yara-mikesxrs/Koodous/ChinesePorn.yar

76 lines
2.2 KiB
Text
Raw Normal View History

/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Androguard module used in this rule file is under development by people at https://koodous.com/.
You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
*/
import "androguard"
rule sensual_woman: chinese
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
condition:
androguard.package_name(/com.phone.gzlok.live/)
or androguard.package_name(/com.yongrun.app.sxmn/)
or androguard.package_name(/com.wnm.zycs/)
or androguard.package_name(/com.charile.chen/i)
or androguard.package_name(/com.sp.meise/i)
or androguard.package_name(/com.legame.wfxk.wjyg/)
or androguard.package_name(/com.video.uiA/i)
}
rule chinese2 : sms_sender
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
condition:
androguard.package_name(/com.adr.yykbplayer/) or
androguard.package_name(/sdej.hpcite.icep/) or
androguard.package_name(/p.da.wdh/) or
androguard.package_name(/com.shenqi.video.sjyj.gstx/) or
androguard.package_name(/cjbbtwkj.xyduzi.fa/) or
androguard.package_name(/kr.mlffstrvwb.mu/)
}
rule chinese_porn : SMSSend
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
condition:
androguard.package_name("com.tzi.shy") or
androguard.package_name("com.shenqi.video.nfkw.neim")
}
rule chineseporn4 : SMSSend
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
condition:
androguard.activity(/com\.shenqi\.video\.Welcome/) or
androguard.package_name("org.mygson.videoa.zw")
}
rule chineseporn5 : SMSSend
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
condition:
androguard.package_name("com.shenqi.video.ycef.svcr") or
androguard.package_name("dxas.ixa.xvcekbxy") or
androguard.package_name("com.video.ui") or
androguard.package_name("com.qq.navideo") or
androguard.package_name("com.android.sxye.wwwl") or
androguard.certificate.issuer(/llfovtfttfldddcffffhhh/)
}