Thursday, December 4, 2014

Deathring, preloaded Android malware sample

Research: Lookout. DeathRing: Pre-loaded malware hits smartphones for the second time in 2014

Sample credit: Tim Strazzere

Size: 95024
MD5:  1E799AC26231D64DD496353FB78A5C46

Download. Email me if you need the password

Wednesday, November 19, 2014

Android Appinventor Trojan Bankers

Research: Securelist Fabio Assolini  Brazilian Trojan Bankers – now on your Android Play Store!
Sample credit: Fabio Assolini

Size: 1802104
MD5:  A18AC7C62C5EFD161039DB29BFDAA8EF

File: appinventor.ai_funayamajogos.Caixa_1.3.2.apk
Size: 1410959
MD5:  00C79B15E024D1B32075E0114475F1E2

Download. Email me if you need the password.

Wednesday, November 5, 2014

Wirelurker for OSX, iOS (Part I) and Windows (Part II) samples


Wirelurker for Windows (WinLurker)

Research: Palo Alto Claud Xiao: Wirelurker for Windows

Sample credit: Claud Xiao

Part I
Research: Palo Alto Claud Xiao WIRELURKER: A New Era in iOS and OS X Malware

Palo Alto |Claud Xiao - blog post Wirelurker

Wirelurker Detector

Sample credit: Claud Xiao


Download Part I
Download Part II

Email me if you need the password

List of files

Part II

s+«sìÜ 3.4.1.dmg 925cc497f207ec4dbcf8198a1b785dbd
apps.ipa 54d27da968c05d463ad3168285ec6097
WhatsAppMessenger 2.11.7.exe eca91fa7e7350a4d2880d341866adf35
使用说明.txt 3506a0c0199ed747b699ade765c0d0f8
libxml2.dll c86bebc3d50d7964378c15b27b1c2caa
libiconv-2_.dll 9c8170dc4a33631881120a467dc3e8f7
msvcr100.dll bf38660a9125935658cfa3e53fdc7d65
libz_.dll bd3d1f0a3eff8c4dd1e993f57185be75
mfc100u.dll f841f32ad816dbf130f10d86fab99b1a

zlib1.dll c7d4d685a0af2a09cbc21cb474358595

│   apps.ipa
│   σ╛«σìÜ 3.4.1.dmg

└───WhatsAppMessenger 2.11.7
            WhatsAppMessenger 2.11.7.exe

Part I
List of hashes 

BikeBaron 15e8728b410bfffde8d54651a6efd162
CleanApp c9841e34da270d94b35ae3f724160d5e dca13b4ff64bcd6876c13bbb4a22f450 c4264b9607a68de8b9bbbe30436f5f28 94a933c449948514a3ce634663f9ccf8 f92640bed6078075b508c9ffaa7f0a78 f92640bed6078075b508c9ffaa7f0a78 83317c311caa225b17ac14d3d504387d 6507f0c41663f6d08f497ab41893d8d9 6507f0c41663f6d08f497ab41893d8d9 e6e6a7845b4e00806da7d5e264eed72b bda470f4568dae8cb12344a346a181d9 fd7b1215f03ed1221065ee4508d41de3 af772d9cca45a13ca323f90e7d874c2c
FontMap1.cfg 204b4836a9944d0f19d6df8af3c009d5
foundation 0ff51cd5fe0f88f02213d6612b007a45
globalupdate 9037cf29ed485dae11e22955724a00e7
globalupdate 9037cf29ed485dae11e22955724a00e7
itunesupdate a8dfbd54da805d3c52afc521ab7b354b
libcrypto.1.0.0.dylib 4c5384d667215098badb4e850890127b
libcrypto.1.0.0.dylib 3b533eeb80ee14191893e9a73c017445
libiconv.2.dylib 94f9882f5db1883e7295b44c440eb44c
libiconv.2.dylib fac8ef9dabdb92806ea9b1fde43ad746
libimobiledevice.4.dylib c596adb32c143430240abbf5aff02bc0
libimobiledevice.4.dylib 5b0412e19ec0af5ce375b8ab5a0bc5db
libiodb.dylib bc3aa0142fb15ea65de7833d65a70e36
liblzma.5.dylib 5bdfd2a20123e0893ef59bd813b24105
liblzma.5.dylib 9ebf9c0d25e418c8d0bed2a335aac8bf
libplist.2.dylib 903cbde833c91b197283698b2400fc9b
libplist.2.dylib 109a09389abef9a9388de08f7021b4cf
libssl.1.0.0.dylib 49b937c9ff30a68a0f663828be7ea704
libssl.1.0.0.dylib ab09435c0358b102a5d08f34aae3c244
libusbmuxd.2.dylib e8e0663c7c9d843e0030b15e59eb6f52
libusbmuxd.2.dylib 9efb552097cf4a408ea3bab4aa2bc957
libxml2.2.dylib 34f14463f28d11bd0299f0d7a3985718
libxml2.2.dylib 95506f9240efb416443fcd6d82a024b9
libz.1.dylib 28ef588ba7919f751ae40719cf5cffc6
libz.1.dylib f2b19c7a58e303f0a159a44d08c6df63
libzip.2.dylib 2a42736c8eae3a4915bced2c6df50397
machook 5b43df4fac4cac52412126a6c604853c
machook ecb429951985837513fdf854e49d0682
periodicdate aa6fe189baa355a65e6aafac1e765f41
pphelper 2b79534f22a89f73d4bb45848659b59b
sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
sfbase_v4000.dylib 582fcd682f0f520e95af1d0713639864
sfbase_v4001.dylib e40de392c613cd2f9e1e93c6ffd05246
start e3a61139735301b866d8d109d715f102
start e3a61139735301b866d8d109d715f102 3fa4e5fec53dfc9fc88ced651aa858c6 dea26a823839b1b3a810d5e731d76aa2 dea26a823839b1b3a810d5e731d76aa2
systemkeychain-helper e03402006332a6e17c36e569178d2097 358c48414219fdbbbbcff90c97295dff
WatchProc a72fdbacfd5be14631437d0ab21ff960
7b9e685e89b8c7e11f554b05cdd6819a 7b9e685e89b8c7e11f554b05cdd6819a
update 93658b52b0f538c4f3e17fdf3860778c 9adfd4344092826ca39bbc441a9eb96f

File listing

│       foundation
│   ├───version_A
│   │   │
│   │   │
│   │   │   globalupdate
│   │   │   machook
│   │   │   sfbase.dylib
│   │   │
│   │   │
│   │   ├───dylib
│   │   │       libcrypto.1.0.0.dylib
│   │   │       libiconv.2.dylib
│   │   │       libimobiledevice.4.dylib
│   │   │       liblzma.5.dylib
│   │   │       libplist.2.dylib
│   │   │       libssl.1.0.0.dylib
│   │   │       libusbmuxd.2.dylib
│   │   │       libxml2.2.dylib
│   │   │       libz.1.dylib
│   │   │
│   │   ├───log
│   │   └───update
│   ├───version_B
│   │
│   │
│   │
│   │
│   │       globalupdate
│   │       itunesupdate
│   │       machook
│   │       start
│   │       WatchProc
│   │
│   └───version_C
│       │
│       │
│       │
│       │
│       │
│       │
│       │   periodicdate
│       │
│       │   systemkeychain-helper
│       │
│       └───manpath.d
│               libcrypto.1.0.0.dylib
│               libiconv.2.dylib
│               libimobiledevice.4.dylib
│               libiodb.dylib
│               liblzma.5.dylib
│               libplist.2.dylib
│               libssl.1.0.0.dylib
│               libusbmuxd.2.dylib
│               libxml2.2.dylib
│               libz.1.dylib
│               libzip.2.dylib
│       sfbase.dylib
│       sfbase_v4000.dylib
│       sfbase_v4001.dylib
│       start
│       7b9e685e89b8c7e11f554b05cdd6819a
│       pphelper
│       BikeBaron
│       CleanApp
│       FontMap1.cfg

Thursday, October 30, 2014

Android icon vulnerability - malware sample

Research: Cheetah Mobile: Android icon vulnerability can cause serious system-level crashes
The malware uses a very large icon which overloads the system’s capabilities and causes some important processes to crash, such as the Settings and Launcher.

Sample credit: Weuzhu Liu

File: d.apk
Size: 12245344
MD5:  DD23039E2C18F2CD1CA2604478E8CD00

Download. Email me if you need the password

Android ransomware samples Koler. C


Samples credit:  Mario Bono

Download. Email me if you need the password

SMS worm Selfmite

Research: Adaptive Mobile Take Two: Selfmite.b Hits the Road

Sample Credit: Charlie Bronson


Download. Email me if you need the password

Wednesday, October 29, 2014

Android WipeLocker.A

File: Angry_BirdTransformers_1.1.0.apk
Size: 548938
MD5:  4E2201CDE26141715255D2421F0BCFB1

Sample credit: İbrahim BALİÇ

Download. Email me if you need the password

Android Chathook ptrace



Sample credit: Thomas Wang

Download. Email me if you need the password

Wednesday, October 8, 2014

Xsser mRat Android and IOS samples

Sorry for the delay, here are the Xsser samples.

Xsser Android
File: code4hk.apk
Size: 409709
MD5:  15E5143E1C843B4836D7B6D5424FB4A5
sample credit: Shalom Bublil

Xsser (mRat) for IOS

File: xsser.0day_1.1_iphoneos-arm.deb
MD5 2ee65c7faeba0899d397f6e105cc53c3
Sample Credit: KernelMode forum and anonymous upload to Malwaredump

Dylib files from the C2 (e.g.|iLib.4.0.0.dylib|4.0.0|1033720) 


Monday, September 15, 2014

iOS AppBuyer malware - infostealer

Wei Feng Technology Group -Wei Feng Technology Group] on the source of malicious hackers discovered a rogue plug-track hacking  (CN)
Palo Alto  AppBuyer: New iOS Malware Steals Apple ID and Password to Buy Apps; 

Sample credit: Claud Xiao

File: com.archive.plist
MD5:  6EEE2BA0C18C69A71E3F879C2A46BDAA

File: updatesrv
MD5:  1C32F9F05234CAC7DD7A83E3925A3105

File: u2_88
MD5:  B4DAFC195DB19C661C25C54AEA39982B

File: u1_88
MD5:  68424FF30F6FD1DEBD3CFF1997FAB17E

File: u1
MD5:  69147A1AD05D64202B2D7BB0EA1BAB46

File: u2_80
MD5:  5F4741EBAFFD9C53473D79A1252F82CB

File: u1_80
MD5:  B88451E74C1091B9022F7199704959B0

Download. Email me if you need the password.

Sunday, August 3, 2014

Android XXshenqi SMS sender

Analysis Report: Baidu
Sample Credit - Thomas Wang

Size: 1563595
MD5:  EF819779FC4BEE6117C124FB752ABF57

File: XXshenqi.apk
Size: 2588891
MD5:  9C06E0963A3F3383CD810F5041364BFA

Download. Email me if you need the password

Wednesday, July 23, 2014

Android ScarePackage Ransomware

Research: Lookout. U.S. targeted by coercive mobile ransomware impersonating the FBI
Sample Credit: Tim Strazzere

Size: 488296
MD5:  645A60E6F4393E4B7E2AE16758DD3A11

Download. Email me if you need the password

Monday, June 23, 2014

(Another) Android Trojan Scheme Using Google Cloud Messaging - SMS Spyware

Sample credit: Federico Maggi

File: test98.apk
Size: 1051288
MD5:  D65C5EF9739ABAE77F5B13B8B562B18A

File: test99.apk
Size: 1051283
MD5:  D968FF20B7A25A79E922511101B7F7CC\

File: test97.apk
Size: 1051286
MD5:  5A7C8EB61061F86FDCDBF9118711CC53

Wednesday, June 4, 2014

Simplocker - Android File-Encrypting, TOR-enabled Ransomware

File: fd694cf5ca1dd4967ad6e8c67241114c.bin
Size: 4917678
MD5:  FD694CF5CA1DD4967AD6E8C67241114C

Research: ESET Analyzes First Android File-Encrypting, TOR-enabled Ransomware
Sample credit: Sanjay Gupta

Download. Email me if you need the password