Sign in



 IP AddressPortHostname
Source (local) 40519  
Destination (Switzerland) http (80)



  • Mobile Ransomware.


False Positive:

  • Probably
  • The rule looks very specific, initially assumed this was a hit.
  • Was able to isolate this to a person by walking through associated events and determining arrival/departure times.
  • This hit resulted from browsing the google play store (user was investigating Islamic Prayer applications which used location data):
  • Clicking go to Developer Website from the above application description page results in the rule being triggered.
  • A few possibilities:
    • The application above is the malware and check's in to the web site once deployed.
    • Malware was installed shortly after the user visited the above URL and this is not a correctly matching rule.
    • Coincidental match (seems very unlikely).
    • This is throwaway-ware and is free, this could be code reuse by the ransomware authors/wateringhole attack/sponsored location gathering application deployment.



  • It's possible the rule itself is formed based on incorrect assumptions.
  • Virtually no hits on the rule given how specific it is.
  • Leave it for now with no alarm but create a tripwire to watch this for the next several hours.
  • No action.




Powered by Zendesk