alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Anatsa Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/update"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"|3b 20|Android|20|"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"{|22|hwid|22 3a|"; depth:8; content:",|22|phone_name|22 3a|"; content:",|22|update_installed|22 3a|"; reference:md5,4a01cad9af92247b828478d5e1b3e00d; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034591; rev:3; metadata:attack_target Mobile_Client, created_at 2021_12_07, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_22, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)