Sign in
Follow

ETPRO MOBILE_MALWARE Android/SLocker.AC Checkin

 

 IP AddressPortHostname
Source (local) 40519  
Destination 141.8.224.93 (Switzerland) http (80) simpleqibla.com

 

Description:

  • Mobile Ransomware.

 

False Positive:

  • Probably
  • The rule looks very specific, initially assumed this was a hit.
  • Was able to isolate this to a person by walking through associated events and determining arrival/departure times.
  • This hit resulted from browsing the google play store (user was investigating Islamic Prayer applications which used location data):
  • Clicking go to Developer Website from the above application description page results in the rule being triggered.
  • A few possibilities:
    • The application above is the malware and check's in to the web site once deployed.
    • Malware was installed shortly after the user visited the above URL and this is not a correctly matching rule.
    • Coincidental match (seems very unlikely).
    • This is throwaway-ware and is free, this could be code reuse by the ransomware authors/wateringhole attack/sponsored location gathering application deployment.

 

Action:

  • It's possible the rule itself is formed based on incorrect assumptions.
  • Virtually no hits on the rule given how specific it is.
  • Leave it for now with no alarm but create a tripwire to watch this for the next several hours.
  • No action.

 

 

Comments

Powered by Zendesk