|Destination||126.96.36.199 (Switzerland)||http (80)||simpleqibla.com|
- Mobile Ransomware.
- The rule looks very specific, initially assumed this was a hit.
- Was able to isolate this to a person by walking through associated events and determining arrival/departure times.
- This hit resulted from browsing the google play store (user was investigating Islamic Prayer applications which used location data):
- Clicking go to Developer Website from the above application description page results in the rule being triggered.
- A few possibilities:
- The application above is the malware and check's in to the web site once deployed.
- Malware was installed shortly after the user visited the above URL and this is not a correctly matching rule.
- Coincidental match (seems very unlikely).
- This is throwaway-ware and is free, this could be code reuse by the ransomware authors/wateringhole attack/sponsored location gathering application deployment.
- It's possible the rule itself is formed based on incorrect assumptions.
- Virtually no hits on the rule given how specific it is.
- Leave it for now with no alarm but create a tripwire to watch this for the next several hours.
- No action.