alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

Added 2018-09-13 19:46:56 UTC


Added 2018-09-13 17:57:37 UTC


alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

Added 2017-08-07 21:10:40 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:1;)

Added 2013-05-15 21:23:51 UTC


Topic revision: r1 - 2018-09-13 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats