""ET EXPLOIT Remote Command Execution via Android Debug Bridge 2""
SID: 2025888
Revision: 1
Class Type: trojan-activity
Metadata: affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, signature_severity Critical, updated_at 2018_07_24
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: any
Destination Network: $HOME_NET
Destination Port: 5555
Flow: from_server,established
Contents:
- Value: "OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"
Within:
PCRE:
Special Options:
- fast_pattern