""ET MOBILE_MALWARE Android/RatMilad CnC Checkin""

SID: 2039786

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Android, attack_target Mobile_Client, created_at 2022_11_15, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_11_15

Reference:

  • md5

  • 341a8467de34ed980f463df9e464668c

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "/api/v1/"

  • Value: "Content-Type|3a 20|application/json|3b 20|charset=utf-8"

  • Value: "User-Agent|3a 20|okhttp/"

  • Value: "|7b 22|manufacture|22 3a 22|"

  • Value: "|2c 22|isEmulator|22 3a 22|false|22|"

Within:

PCRE:

Special Options:

  • http_method

  • http_uri

  • http_header

  • http_header

  • http_client_body

  • http_client_body

  • fast_pattern

source