08e8d462fe
RED PILL 🔴 💊
99 lines
3.4 KiB
Text
99 lines
3.4 KiB
Text
/*
|
|
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
|
|
*/
|
|
|
|
/*
|
|
Androguard module used in this rule file is under development by people at https://koodous.com/.
|
|
|
|
You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
|
|
*/
|
|
|
|
import "androguard"
|
|
|
|
rule smspay_chinnese : hejupay
|
|
{
|
|
meta:
|
|
author = "Fernando Denis https://twitter.com/fdrg21"
|
|
reference = "https://koodous.com/"
|
|
|
|
strings:
|
|
$a = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/Jvgb0/jSRWi7i4J9IwO72KZw404kj02A97ExbUefVeE7yyWSTbKw5sYlKXCtaoQwWr19j0Y+xb6+h2BRuNx307BV/QpG6DnPg+Lx8fPPvhbhOudgKb/XuZPaz/GJbTpwzTbBmT+mI1QTRLyAKDxSjGWYvoPFVz82RxcAblV/twIDAQAB"
|
|
|
|
$b = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL8m+BvT+NJFaLuLgn0jA7vYpnDjTiSPTYD3sTFtR59V4TvLJZJNsrDmxiUpcK1qhDBavX2PRj7Fvr6HYFG43HfTsFX9CkboOc+D4vHx88++FuE652Apv9e5k9rP8YltOnDNNsGZP6YjVBNEvIAoPFKMZZi+g8VXPzZHFwBuVX+3AgMBAAECgYBLYR6uOqUApoZqjtVia5BpX0Ijej+ygyBZH1Qs3Z9E4iTz42RpkWJKCHdS6Eia2kpOlznqbbmRv4E8uT3ufCvUFexjR5ClGVKJ+XHXxqS75+KT38wGZZ1bW0pK4sT1/aGLrt5/netwuzMi/YFNfAKRPqvRXuNcxNLhMhs2efLKIQJBAPGea2UXVWd0Ti8ClA8hiWPSNCPtcp41Dh2H0YczrFmO2zafPPJih2GQY5txszwBLbjxFCY8/WhrYAqx0itMrgsCQQDKh5U1NfpRvk0Hu8iBRB/LPyGimz+WM/chFSC65SlS/cml3U7hUOj2lRGPz+bm68624H0KLviqpBJpmayvbbyFAkEA1NNFJ9uAx8rDn1b3EcjpmvqqIMdjwYVcNJjQ7/WNJ6nU3+0toxc0xrSHeIGTbhRfsNrxc6kfUV3bUDBHvwog9wJBAI+fRH1ekOwlAqVIUnDw6YcNdwHEDHysz0TDodlHp112Ieign06DPSGYJsMQURNTB92CJsnw82C3R2Nhmicxr60CQQCN466JF9GJRZipO64OYw/ElMac7vXgTeGMvYZ2/yfX5CRCLua4DygD1Ju0eMXpea9og/EtwCTV0RVpFc9SSN8V"
|
|
|
|
condition:
|
|
$a or $b
|
|
}
|
|
|
|
|
|
rule smsfraud : ganga
|
|
{
|
|
meta:
|
|
author = "Fernando Denis https://twitter.com/fdrg21"
|
|
reference = "https://koodous.com/"
|
|
description = "smsfraud chinese"
|
|
sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
|
|
|
|
strings:
|
|
$string_a_1 = "HHHEEEEEEBBBBBB??????;;;;;;888888444444000000,,,,,,''''''''''''######OOO###"
|
|
$string_a_2 = "2e6081a2-a063-45c7-ab90-5db596e42c7c"
|
|
|
|
condition:
|
|
androguard.package_name("com.yr.sx") or
|
|
all of ($string_a_*) or
|
|
androguard.activity(/com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity/)
|
|
|
|
|
|
}
|
|
|
|
|
|
rule sms_fraud : MSACM32
|
|
{
|
|
meta:
|
|
author = "Fernando Denis https://twitter.com/fdrg21"
|
|
reference = "https://koodous.com/"
|
|
description = "sms-fraud examples"
|
|
sample = "8b9cabd2dafbba57bc35a19b83bf6027d778f3b247e27262ced618e031f9ca3d c52112b45164b37feeb81e0b5c4fcbbed3cfce9a2782a2a5001fb37cfb41e993"
|
|
|
|
strings:
|
|
$string_a = "MSACM32.dll"
|
|
$string_b = "android.provider.Telephony.SMS_RECEIVED"
|
|
$string_c = "MAIN_TEXT_TAG"
|
|
|
|
condition:
|
|
all of ($string_*) and
|
|
androguard.permission(/android.permission.SEND_SMS/)
|
|
|
|
}
|
|
|
|
rule sms_fraud_gen : generic
|
|
{
|
|
meta:
|
|
author = "Fernando Denis https://twitter.com/fdrg21"
|
|
reference = "https://koodous.com/"
|
|
description = "This is just an example"
|
|
thread_level = 3
|
|
in_the_wild = true
|
|
|
|
strings:
|
|
$a = "080229013346Z"
|
|
$c = "350717013346Z0"
|
|
$b = "NUMBER_CHAR_EXP_SIGN"
|
|
|
|
condition:
|
|
$a and $b and $c and
|
|
androguard.permission(/android.permission.SEND_SMS/)
|
|
}
|
|
|
|
rule smsfraud_apk
|
|
{
|
|
meta:
|
|
author = "https://twitter.com/plutec_net"
|
|
reference = "https://koodous.com/"
|
|
description = "This rule detects apks related with sms fraud"
|
|
sample = "79b35a99f16de6912d6193f06361ac8bb75ea3a067f3dbc1df055418824f813c"
|
|
|
|
condition:
|
|
androguard.certificate.sha1("9E1B8719D80656E9EADAAB4251B2CFB4C8188835")
|
|
|
|
}
|