[Community-sigs] new sig Android.Trojan.SpyAgent;
Douglas Goddard
dgoddard at sourcefire.com
Thu Apr 2 13:25:59 EDT 2015
For DEX files, since we do not have a target type, we add the magic as a
subsignature with offest zero.
I'll add the signature as:
Android.Trojan.SpyAgent;Target:0;4&(0|1|2|3)>2,3;22343030313430303122;224c6f6e674c6f6e6722;2d2d2d2d2d736d732d2d2d2d2d;6d6f6e69746f7250686f6e654e756d626572;0:646578
I've confirmed this still alerts:
/tmp/119725b6b9a6f69667ce9e9bd7b7a7a2ccb1bd5a6c7ebc01fd36202b4cf30dba:
Android.Trojan.SpyAgent.UNOFFICIAL FOUND
I was able to find the source here:
http://akana.mobiseclab.org/index.jsp?type=result&md5=HW14d9f1a92dd984d6040cc41ed06e273ebe0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88
The LongLong:40014001 creds are used in
src/com/google/progress/WifiCheckTask.checkNetworkWithPwd().
Thank you for the signature!
On Thu, Apr 2, 2015 at 11:30 AM, <andreisaygo at live.ie> wrote:
> Signature:
>
> Android.Trojan.SpyAgent;Target:0;(0|1|2|3)>2,3;22343030313430303122;224c6f6e674c6f6e6722;2d2d2d2d2d736d732d2d2d2d2d;6d6f6e69746f7250686f6e654e756d626572
>
> Hashes:
> MD5: f7ea5fa2f1a4febbb281beaf1d6a933f
> SHA1: 874e7c3b47a16872e44296a2fb65d4e8bb8706ef
> SHA256: 119725b6b9a6f69667ce9e9bd7b7a7a2ccb1bd5a6c7ebc01fd36202b4cf30dba
>
>
> Sig0:
> "40014001"
>
> Sig1:
> "LongLong"
>
> Sig2:
> -----sms-----
>
> Sig3:
> monitorPhoneNumber
>
>
> Sig 0 & 1 I suspect that they are related to a cctv wireless camera (Sig1:
> SSID, Sig0: default pass).
>
> Regards,
> Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list