Saturday, May 14, 2016

Android Xbot ransomware

Research : Palo Alto New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom by Cong Zheng, Claud Xiao and Zhi Xu

List of files

ea6d01f87f71afc7fd131f492385d164 93172b122577979ca41c3be75786fdeefa4b80a6c3df7d821dfecefca1aa6b05
79e2b3abdbf33552677660069f891b88 a22b55aaf5d35e9bbc48914b92a76de1c707aaa2a5f93f50a2885b0ca4f15f01
748a81df76ee7e691682e64867fcd48a 20bf4c9d0a84ac0f711ccf34110f526f2b216ae74c2a96de3d90e771e9de2ad4
246f497dc26d18d87f9398758ca1bcc2 f2cfbc2f836f3065d5706b9f49f55bbd9c1dae2073a606c8ee01e4bbd223f29f
7969e4ef1b2fece87b806b5dfe25a3bb 029758783d2f9d8fd368392a6b7fdf5aa76931f85d6458125b6e8e1cadcdc9b4
8e82a09c50b787b18a612addfcaedfab a94cac6df6866df41abde7d4ecf155e684207eedafc06243a21a598a4b658729
538ca97778ac886e121bc054574d7478 e905d9d4bc59104cfd3fc50c167e0d8b20e4bd40628ad01b701a515dd4311449
d5c63390f8a42e051d0ef9fbe7f08046 d082ec8619e176467ce8b8a62c2d2866d611d426dd413634f6f5f5926c451850
6a4a011115e6ab27c9941a849ec27dd2 4b5ef7c8150e764cc0782eab7ca7349c02c78fceb1036ce3064d35037913f5b6
756340895ce28c745d0d6a5409f5ca0f 33230c13dcc066e05daded0641f0af21d624119a5bb8c131ca6d2e21cd8edc1a
d846f7ac66a9a932235fb415b96fee5d dfda8e52df5ba1852d518220363f81a06f51910397627df6cdde98d15948de65
e06dd5ba1a101f855604b486d90d2651 1264c25d67d41f52102573d3c528bcddda42129df5052881f7e98b4a90f61f23
4ed28716716a7f6dc9f6ad1526512b26 7e939552f5b97a1f58c2202e1ab368f355d35137057ae04e7639fc9c4771af7e

Download. Email me if you need the password

Tuesday, February 23, 2016

Files download information

After 7 years of Contagio existence, Google Safe Browsing services notified Mediafire (hoster of Contagio and Contagiominidump files) that "harmful" content is hosted on my Mediafire account.

It is harmful only if you harm your own pc and but not suitable for distribution or infecting unsuspecting users but I have not been able to resolve this with Google and Mediafire.

Mediafire suspended public access to Contagio account.

The file hosting will be moved.

If you need any files now, email me the posted Mediafire links (address in profile) and I will pull out the files and share via other methods.

P.S. I have not been able to resolve "yet" because it just happened today, not because they refuse to help.  I don't want to affect Mediafire safety reputation and most likely will have to move out this time.

The main challenge is not to find hosting, it is not difficult and I can pay for it, but the effort move all files and fix the existing links on the Blogpost, and there are many. I planned to move out long time ago but did not have time for it. If anyone can suggest how to change all Blogspot links in bulk, I will be happy.

P.P.S. Feb. 24 - The files will be moved to a Dropbox Business account and shared from there (the Dropbox team confirmed they can host it )  
The transition will take some time, so email me links to what you need. 

Monday, February 22, 2016

ZergHelper - Pirated iOS App Store’s Client sample

Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review by Claud Xiao  

Sample credit:  Claud Xiao

File information:
“开心日常英语 (Happy Daily English) / Zerghelper

File: EnglishStudy
Size: 7925888
MD5:  00C7FF895B8707C2D63BEAD4D5ECC9F6

File: EnglishStudy-v5.0.0.ipa
Size: 21506666
MD5:  8135A3E8EF90558C70223EB00F9B19C0

File: Installer.ipa
Size: 6576644
MD5:  ED9C55AC907F0FA6D8FF6693C3B14835

Download. Email me if you need the password (new location that works)

Sunday, October 4, 2015

YiSpecter iOS iphone malware samples

Research: Palo Alto.  Claud Xiao  YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs

Sample Credit: Claud Xiao

File: ADPage Size: 2570560  MD5:  8E93947DFD1B11A77A04429BD8B32CED
File: ADPage.ipa Size: 1484304  MD5:  62C6F0E3615B0771C0D189D3A7C50477
File: DaPian  Size: 5978608 MD5:  3A41BB59E2946A66BBD03A8B4D51510B
File: DaPian.ipa Size: 2826575 MD5:  6E907716DC1AA6B9C490CE58AAAE0D53
File: HYQvod Size: 1984256 MD5:  35EE9556457D6170EA83C800887C1CBE
File: HYQvod.ipa Size: 2154552 MD5:  97210A234417954C7BBE87BFE685EAAE
File: HYQvod_3.3.3 Size: 3347360 MD5:  304A10D364454EE8F2E26979927C0334
File: HYQvod_3.3.3.ipa Size: 3148992 MD5:  29E147675AF38ECE406B6227F3CCD76B
File: NoIcon Size: 1426368 MD5:  E6B45FAF823387BCA7524C4D0329543F
File: NoIcon.ipa Size: 581136 MD5:  FBF92317CA8A7D5C243AB62624701050
File: NoIconUpdate Size: 1427040 MD5:  4460F3D29A4BCE8AA8E8FFDE4A467B70
File: NoIconUpdate.ipa Size: 590191 MD5:  0B98EE74843809493B0661C679A3C90C

 Download. Email me if you need the password (New Link)

Tuesday, September 1, 2015

KeyRaider: iOS infostealer

Research: Palo Alto: KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia

Sample Credit:Claud Xiao

02464AE6259A2C8194470385781501B7 9   catbbs.ibackground 3.2.deb
0F710F8397EC969AF26C299A63AEDA8B 9catbbs.iappstore 4.0.deb
1DD1A8C6C213E3B51CD2463D764A9C62 9catbbs.MPPlugin 1.3.deb
3838A37A9BC7DF750FB16D12E32A2FCB iweixin.deb
3C57E433FBBA1AC1E4DC1B84CEC038FB repo.sunbelife.batterylife 1.4.1.deb
CAAF060572E57B6D175C3959495BCDBF 9catbbs.GamePlugin 6.1-9.deb
DDF224F63EE9C7FBA76298664A2B0B00 9catbbs.iappinbuy 1.0.deb

Email me if you need the password  (2015-09-03 - fixed zip file)

Tuesday, June 2, 2015

AndroidOS.Wroba.x / HijackRAT - Android sample

A variant of

Research: Fireeye: The Service You Can’t Refuse: A Secluded HijackRAT 2014

Sample Credit: SUVsoft

MD5:  a21fab634dc788cdd462d506458af1e4
Size: 403974

Installed apps:

Download. Email me if you need the password. (New Link)

Android Locker Ransomware sample

Monday, May 25, 2015

Android FakeApp.AL Sample

Research: Scareware: Fake Minecraft apps Scare Hundreds of Thousands on Google Play  -

File: com.xcraft.mods.apk
Size: 341376
MD5:  ACB66E858D54C61AA10E60276001C02B

Download. Email me if you need the password

Thursday, May 21, 2015

NotCompatible / NioServ Android sample

This file has been spotted as the response content of the following URLs.

File: Android.Core.Defender.apk
Size: 64345
MD5:  7079D98E70EA31EA8F1DA54D160979EF

 Download. Email me if you need the sample

Wednesday, April 1, 2015

Hacking Team RCS for Android sample

Advanced spyware.

Credit: Anonymous

Size: 2392347
MD5:  904ED531D0B3B1979F1FDA7A9504C882

Sunday, March 22, 2015

Android Infostealer - Godwon

Android.Podec SMS Trojan bypasses CAPTCHA sample

Research: Securelist: SMS Trojan bypasses CAPTCHA


Download. Email me if you need the password

Cajino - Remote administration trojan using Baidu Cloud Push service

Research: Remote administration trojan using Baidu Cloud Push service


Download. Email me if you need the password

Android.Titan.1 South Korean SMS trojan

Research: Dr. Web. Dangerous Android Trojan “hides” from anti-viruses


Download. Email me if you need the password

Android Ransomware Simplocker sample

SocialPath - Android infostealer sample