""ET MOBILE_MALWARE MOONSHINE payload C2 activity""
SID: 2028622
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Android, attack_target Mobile_Client, created_at 2019_09_25, deployment Perimeter, malware_family Android_Moonshine, signature_severity Critical, tag Android, updated_at 2019_09_25
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: 10011
Flow: established,to_server
Contents:
-
Value: "/ws?whisky_id|3d|"
-
Value: "User-Agent|3a 20|hots|20|scot"
-
Value: "Upgrade|3a 20|websocket"
Within:
PCRE:
Special Options:
- fast_pattern