Sneed-Reactivity/yara-mikesxrs/Koodous/SMSsender.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

99 lines
3.4 KiB
Text

/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Androguard module used in this rule file is under development by people at https://koodous.com/.
You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara
*/
import "androguard"
rule smspay_chinnese : hejupay
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
strings:
$a = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/Jvgb0/jSRWi7i4J9IwO72KZw404kj02A97ExbUefVeE7yyWSTbKw5sYlKXCtaoQwWr19j0Y+xb6+h2BRuNx307BV/QpG6DnPg+Lx8fPPvhbhOudgKb/XuZPaz/GJbTpwzTbBmT+mI1QTRLyAKDxSjGWYvoPFVz82RxcAblV/twIDAQAB"
$b = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL8m+BvT+NJFaLuLgn0jA7vYpnDjTiSPTYD3sTFtR59V4TvLJZJNsrDmxiUpcK1qhDBavX2PRj7Fvr6HYFG43HfTsFX9CkboOc+D4vHx88++FuE652Apv9e5k9rP8YltOnDNNsGZP6YjVBNEvIAoPFKMZZi+g8VXPzZHFwBuVX+3AgMBAAECgYBLYR6uOqUApoZqjtVia5BpX0Ijej+ygyBZH1Qs3Z9E4iTz42RpkWJKCHdS6Eia2kpOlznqbbmRv4E8uT3ufCvUFexjR5ClGVKJ+XHXxqS75+KT38wGZZ1bW0pK4sT1/aGLrt5/netwuzMi/YFNfAKRPqvRXuNcxNLhMhs2efLKIQJBAPGea2UXVWd0Ti8ClA8hiWPSNCPtcp41Dh2H0YczrFmO2zafPPJih2GQY5txszwBLbjxFCY8/WhrYAqx0itMrgsCQQDKh5U1NfpRvk0Hu8iBRB/LPyGimz+WM/chFSC65SlS/cml3U7hUOj2lRGPz+bm68624H0KLviqpBJpmayvbbyFAkEA1NNFJ9uAx8rDn1b3EcjpmvqqIMdjwYVcNJjQ7/WNJ6nU3+0toxc0xrSHeIGTbhRfsNrxc6kfUV3bUDBHvwog9wJBAI+fRH1ekOwlAqVIUnDw6YcNdwHEDHysz0TDodlHp112Ieign06DPSGYJsMQURNTB92CJsnw82C3R2Nhmicxr60CQQCN466JF9GJRZipO64OYw/ElMac7vXgTeGMvYZ2/yfX5CRCLua4DygD1Ju0eMXpea9og/EtwCTV0RVpFc9SSN8V"
condition:
$a or $b
}
rule smsfraud : ganga
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "smsfraud chinese"
sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
strings:
$string_a_1 = "HHHEEEEEEBBBBBB??????;;;;;;888888444444000000,,,,,,''''''''''''######OOO###"
$string_a_2 = "2e6081a2-a063-45c7-ab90-5db596e42c7c"
condition:
androguard.package_name("com.yr.sx") or
all of ($string_a_*) or
androguard.activity(/com.snowfish.cn.ganga.offline.helper.SFGameSplashActivity/)
}
rule sms_fraud : MSACM32
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "sms-fraud examples"
sample = "8b9cabd2dafbba57bc35a19b83bf6027d778f3b247e27262ced618e031f9ca3d c52112b45164b37feeb81e0b5c4fcbbed3cfce9a2782a2a5001fb37cfb41e993"
strings:
$string_a = "MSACM32.dll"
$string_b = "android.provider.Telephony.SMS_RECEIVED"
$string_c = "MAIN_TEXT_TAG"
condition:
all of ($string_*) and
androguard.permission(/android.permission.SEND_SMS/)
}
rule sms_fraud_gen : generic
{
meta:
author = "Fernando Denis https://twitter.com/fdrg21"
reference = "https://koodous.com/"
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = "080229013346Z"
$c = "350717013346Z0"
$b = "NUMBER_CHAR_EXP_SIGN"
condition:
$a and $b and $c and
androguard.permission(/android.permission.SEND_SMS/)
}
rule smsfraud_apk
{
meta:
author = "https://twitter.com/plutec_net"
reference = "https://koodous.com/"
description = "This rule detects apks related with sms fraud"
sample = "79b35a99f16de6912d6193f06361ac8bb75ea3a067f3dbc1df055418824f813c"
condition:
androguard.certificate.sha1("9E1B8719D80656E9EADAAB4251B2CFB4C8188835")
}