| IP Address | Port | Hostname | |
|---|---|---|---|
| Source | (local) | 40519 | |
| Destination | 141.8.224.93 (Switzerland) | http (80) | simpleqibla.com |
Description:
- Mobile Ransomware.
False Positive:
- Probably
- The rule looks very specific, initially assumed this was a hit.
- Was able to isolate this to a person by walking through associated events and determining arrival/departure times.
- This hit resulted from browsing the google play store (user was investigating Islamic Prayer applications which used location data):
- Clicking go to Developer Website from the above application description page results in the rule being triggered.
- A few possibilities:
- The application above is the malware and check's in to the web site once deployed.
- Malware was installed shortly after the user visited the above URL and this is not a correctly matching rule.
- Coincidental match (seems very unlikely).
- This is throwaway-ware and is free, this could be code reuse by the ransomware authors/wateringhole attack/sponsored location gathering application deployment.
Action:
- It's possible the rule itself is formed based on incorrect assumptions.
- Virtually no hits on the rule given how specific it is.
- Leave it for now with no alarm but create a tripwire to watch this for the next several hours.
- No action.
Comments