Rule History

SID: 10012740 • Source: ptrules/open

Versions (6)

Version DetailsCurrent

Rev: 1 • Oct 9, 2025, 2:49 PM

Message:

BANKER [PTsecurity] Crocodilus

Rule:

alert http any any -> any any (msg:"BANKER [PTsecurity] Crocodilus"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Content-Type: application/json|3b| charset=UTF-8"; content:"User-Agent: Dalvik/"; content:"Connection: Keep-Alive"; content:"Accept-Encoding: gzip"; content:!"Referer"; http.request_body; content:"{|22|carFileDoesnt|22|:"; startswith; content:"|22|miniature|22|:"; distance:0; reference:url, threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices; reference:url, tria.ge/250107-ya4e5avqdy/behavioral2; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10012740; rev:1;)

Created:

Oct 9, 2025, 2:49 PM

Updated:

Oct 9, 2025, 2:49 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-malware.rules