""ET EXPLOIT Remote Command Execution via Android Debug Bridge 2""

SID: 2025888

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, signature_severity Critical, updated_at 2018_07_24

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: 5555

Flow: from_server,established

Contents:

  • Value: "OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"

Within:

PCRE:

Special Options:

  • fast_pattern

source