contagio mobile: Collection of 96 mobile malware samples for Kmin, Basebridge, Geinimi, Root exploits, and PJApps

Saturday, October 22, 2011

Collection of 96 mobile malware samples for Kmin, Basebridge, Geinimi, Root exploits, and PJApps

All files are sorted by types in folders and named by MD5. The list of files is below. I posted examples of what you will find in the previous 20 posts. Enjoy

Download Android-Malware_SortedTYPE-MD5.zip (password infected)

MALWARE TYPE (number of samples)
BASEBRIDGE (3)
YZHC (2)
ROOT EXPLOIT (7)
PJAPPS (16)
GEINIMI (28)

KMIN (40)

Sample credit: Thank to anonymous, Oct. 22, 2011

Please send classification corrections, I will post. Also, if you wish to analyse and post analysis, I will be happy to post that sample separately with a link to your explanations. Thanks - Mila

UPDATE OCT 26, 2011 - Anthony Desnos offered a better and more correct classification using Androguard

Download the file here

GingerMaster (0 and 1)
 ---> METHSIM L:0 I:0 N:0 J:2 1045 [4.9593749046325684, 4.3729357719421387, 4.7183656692504883, 4.4228439331054688, 3.9754178524017334]
 ---> METHSIM L:0 I:1 N:1 J:2 1341 [4.9452362060546875, 4.7812762260437012, 4.7661762237548828, 4.5302424430847168, 3.9754178524017334]
RageagainstTheCage (0)
 ---> BINHASH L:1 I:2 N:0 J:1
DroidDeluxe (0 and 1 and 2)
 ---> METHSIM L:2 I:3 N:0 J:3 907 [4.7972521781921387, 4.1135177612304688, 4.7298212051391602, 4.4896812438964844, 4.0113649368286133]
 ---> METHSIM L:2 I:4 N:1 J:3 1574 [4.8668537139892578, 4.2125983238220215, 4.715888500213623, 4.7183380126953125, 3.8208885192871094]
 ---> METHSIM L:2 I:5 N:2 J:3 5734 [4.7989387512207031, 4.7281794548034668, 4.4956917762756348, 4.5737781524658203, 4.149996280670166]
YZHCSMS (0 and 1)
 ---> METHSIM L:3 I:6 N:0 J:2 418 [5.0266571044921875, 1.6237781047821045, 4.7683391571044922, 4.8285346031188965, 3.9754178524017334]
 ---> METHSIM L:3 I:7 N:1 J:2 1992 [4.8226685523986816, 4.6746187210083008, 4.514441967010498, 4.7024493217468262, 0.0]
Wat (0)
 ---> CLASSSIM L:4 I:8 N:0 J:1 3600 [3.9032969815390453, 2.8835478850773404, 2.3970618758882796, 4.0557840211050848, 0.6026742117745536]
Pjapps (0)
 ---> METHSIM L:5 I:9 N:0 J:1 2094 [5.0075702667236328, 4.7603583335876465, 4.6897745132446289, 4.4102416038513184, 3.9754178524017334]
SndApps (0 or 1)
 ---> METHSIM L:6 I:10 N:0 J:2 1384 [4.6262054443359375, 1.2427303791046143, 4.4894008636474609, 4.5552773475646973, 4.2081961631774902]
 ---> METHSIM L:6 I:11 N:1 J:2 1309 [5.0062732696533203, 4.8052005767822266, 4.5855984687805176, 4.4975037574768066, 4.2158646583557129]
Crusewind ((0 or 1) and 2)
 ---> METHSIM L:7 I:12 N:0 J:3 1399 [4.9779953956604004, 4.6750292778015137, 4.7505569458007812, 4.5253338813781738, 4.2801966667175293]
 ---> METHSIM L:7 I:13 N:1 J:3 1033 [4.8758420944213867, 4.5962967872619629, 4.6942548751831055, 4.5018887519836426, 0.0]
 ---> METHSIM L:7 I:14 N:2 J:3 221 [4.7028636932373047, 1.5338449478149414, 4.535919189453125, 4.4318118095397949, 0.0]
BaseBridge.B (0 and 1)
 ---> METHSIM L:8 I:15 N:0 J:2 2433 [4.8725032806396484, 4.731076717376709, 4.5397763252258301, 4.5733532905578613, 3.9754178524017334]
 ---> METHSIM L:8 I:16 N:1 J:2 2664 [4.7669658660888672, 4.6711916923522949, 4.5062112808227539, 4.8685741424560547, 3.9754178524017334]
BaseBridge.C (0)
 ---> METHSIM L:9 I:17 N:0 J:1 3601 [4.556884765625, 3.2457294464111328, 4.5147109031677246, 4.5192923545837402, 3.9754178524017334]
BaseBridge ((0 or 1) and 2)
 ---> METHSIM L:10 I:18 N:0 J:3 3110 [4.5719747543334961, 1.6733947992324829, 4.5265865325927734, 4.5559782981872559, 3.9754178524017334]
 ---> METHSIM L:10 I:19 N:1 J:3 4648 [5.0189762115478516, 4.8571329116821289, 4.6744322776794434, 4.4395885467529297, 3.9754178524017334]
 ---> METHSIM L:10 I:20 N:2 J:3 967 [4.7568535804748535, 1.7403091192245483, 4.6997122764587402, 4.4517860412597656, 3.9754178524017334]
Ozotshielder.C (0)
 ---> METHSIM L:11 I:21 N:0 J:1 1838 [4.5943231582641602, 4.525092601776123, 4.4844989776611328, 4.4258179664611816, 0.0]
Ewalls (0)
 ---> METHSIM L:12 I:22 N:0 J:1 14152 [4.596013069152832, 4.7685627937316895, 4.4099941253662109, 4.2093234062194824, 3.9754178524017334]
DroidDreamLight (0)
 ---> METHSIM L:13 I:23 N:0 J:1 1578 [4.7786655426025391, 4.6544718742370605, 3.8625667095184326, 4.5037317276000977, 0.0]
Spitmo (0)
 ---> METHSIM L:14 I:24 N:0 J:1 2194 [5.0065994262695312, 4.790163516998291, 4.6962299346923828, 4.6933317184448242, 3.9754178524017334]
Hongtoutou (0)
 ---> METHSIM L:15 I:25 N:0 J:1 1766 [5.0845060348510742, 4.8783326148986816, 4.7843966484069824, 4.7036099433898926, 0.0]
YZHCSMS.B (0)
 ---> METHSIM L:16 I:26 N:0 J:1 1197 [4.984917163848877, 4.7853765487670898, 4.6623964309692383, 4.4476594924926758, 3.9754178524017334]
DroidDream-Included (0)
 ---> METHSIM L:17 I:27 N:0 J:1 3054 [4.827852725982666, 4.7362179756164551, 4.5589680671691895, 4.422579288482666, 0.0]
HippoSMS.B (0)
 ---> METHSIM L:18 I:28 N:0 J:1 1209 [4.8893465995788574, 4.891486644744873, 4.6299595832824707, 4.3698744773864746, 0.0]
Ewalls.B (0)
 ---> METHSIM L:19 I:29 N:0 J:1 11427 [4.5732531547546387, 4.6146163940429688, 4.4084692001342773, 4.2746791839599609, 3.9754178524017334]
HippoSMS ((0 and 1) or 2)
 ---> CLASSSIM L:20 I:30 N:0 J:3 1356 [4.6681992212931318, 4.4411741892496748, 2.16331418355306, 4.1790606180826826, 0.0]
 ---> CLASSSIM L:20 I:31 N:1 J:3 870 [4.5476565361022949, 4.4270169734954834, 2.6578314304351807, 4.1325935125350952, 0.0]
 ---> CLASSSIM L:20 I:32 N:2 J:3 458 [4.7386491298675537, 2.8634676933288574, 4.4856486320495605, 4.088369607925415, 0.0]
Ozotshielder (0)
 ---> METHSIM L:21 I:33 N:0 J:1 2204 [4.6407623291015625, 4.6470947265625, 4.5313506126403809, 4.345757007598877, 0.0]
DogoWar (0 and 1)
 ---> CLASSSIM L:22 I:34 N:0 J:2 404 [4.5772311687469482, 4.3906300067901611, 2.7473165988922119, 3.9876822233200073, 0.0]
 ---> CLASSSIM L:22 I:35 N:1 J:2 1818 [4.1605472564697266, 3.6046688079833986, 1.4984882354736329, 3.9250543117523193, 0.0]
Plankton.C (0 and 1)
 ---> METHSIM L:23 I:36 N:0 J:2 890 [5.0663352012634277, 1.567484974861145, 4.8082575798034668, 4.5208311080932617, 4.3333024978637695]
 ---> METHSIM L:23 I:37 N:1 J:2 2389 [4.8258247375488281, 4.7663564682006836, 4.5806660652160645, 4.3953781127929688, 0.0]
Plankton.B (0 and 1)
 ---> METHSIM L:24 I:38 N:0 J:2 1233 [4.6968116760253906, 4.6064891815185547, 4.5410966873168945, 4.6769933700561523, 0.0]
 ---> METHSIM L:24 I:39 N:1 J:2 1183 [4.768287181854248, 4.5756878852844238, 4.6231117248535156, 4.6342296600341797, 3.8208885192871094]
Zsone (0)
 ---> METHSIM L:25 I:40 N:0 J:1 977 [5.0066266059875488, 4.7855949401855469, 4.6031131744384766, 4.8662714958190918, 3.9754178524017334]
Plankton (0 and 1)
 ---> METHSIM L:26 I:41 N:0 J:2 1522 [4.880760669708252, 4.6757988929748535, 4.6721949577331543, 4.722226619720459, 3.8208885192871094]
 ---> METHSIM L:26 I:42 N:1 J:2 1443 [4.6877193450927734, 4.0039081573486328, 4.4825272560119629, 4.5173683166503906, 4.3710126876831055]
Lovetrap (0 and 1)
 ---> METHSIM L:27 I:43 N:0 J:2 2549 [4.939051628112793, 4.3934955596923828, 4.8094043731689453, 4.8097281455993652, 3.9754178524017334]
 ---> METHSIM L:27 I:44 N:1 J:2 3514 [4.9664211273193359, 4.3504295349121094, 4.8521542549133301, 4.6344723701477051, 3.9754178524017334]
GoldDream (0 and 1)
 ---> METHSIM L:28 I:45 N:0 J:2 3721 [4.8105306625366211, 4.7493586540222168, 4.5943202972412109, 4.6015524864196777, 0.0]
 ---> METHSIM L:28 I:46 N:1 J:2 3401 [4.8430991172790527, 1.3113172054290771, 4.8033995628356934, 4.538449764251709, 3.9754178524017334]
Pjapps.B (0)
 ---> METHSIM L:29 I:47 N:0 J:1 2548 [4.9333176612854004, 4.7807784080505371, 4.6869611740112305, 4.5481977462768555, 3.9754178524017334]
Pjapps.C (0 or 1)
 ---> METHSIM L:30 I:48 N:0 J:2 3137 [4.8883175849914551, 4.7182526588439941, 4.6228675842285156, 4.4607253074645996, 0.0]
 ---> METHSIM L:30 I:49 N:1 J:2 3233 [4.9250407218933105, 4.7393302917480469, 4.6674752235412598, 4.5522646903991699, 4.2181391716003418]
Zitmo (0 and 1)
 ---> METHSIM L:31 I:50 N:0 J:2 1129 [5.0006465911865234, 4.7676701545715332, 4.6947941780090332, 4.4621977806091309, 4.2081961631774902]
 ---> METHSIM L:31 I:51 N:1 J:2 728 [4.9079470634460449, 4.8797001838684082, 4.5931968688964844, 4.7688388824462891, 0.0]
Exploid (0)
 ---> BINHASH L:32 I:52 N:0 J:1
GGTracker (0 and 1)
 ---> METHSIM L:33 I:53 N:0 J:2 1670 [4.8364830017089844, 4.057319164276123, 4.7673635482788086, 4.4964823722839355, 4.2384934425354004]
 ---> METHSIM L:33 I:54 N:1 J:2 3088 [4.9048829078674316, 4.6949944496154785, 4.5048131942749023, 4.5457534790039062, 0.0]
NickySpy (0 or 1)
 ---> METHSIM L:34 I:55 N:0 J:2 3379 [4.9935126304626465, 4.7834396362304688, 4.8159637451171875, 4.5245232582092285, 0.0]
 ---> METHSIM L:34 I:56 N:1 J:2 2718 [5.0252776145935059, 4.7652387619018555, 4.8861689567565918, 4.5666427612304688, 4.2081961631774902]
DroidKungfu2 (0)
 ---> METHSIM L:35 I:57 N:0 J:1 1892 [4.6360316276550293, 4.0211343765258789, 4.5443987846374512, 4.1571140289306641, 3.9754178524017334]
SMSHider (0 and 1 and 2)
 ---> METHSIM L:36 I:58 N:0 J:3 4533 [4.8310446739196777, 4.709599494934082, 4.7197036743164062, 4.5428285598754883, 4.5164380073547363]
 ---> METHSIM L:36 I:59 N:1 J:3 4476 [4.8223543167114258, 4.7001566886901855, 4.7191720008850098, 4.5456838607788086, 4.5164380073547363]
 ---> METHSIM L:36 I:60 N:2 J:3 1277 [4.9431118965148926, 4.598602294921875, 4.6776943206787109, 4.6068816184997559, 3.9754178524017334]
Geinimi (0 or 1 or (2 and 3))
 ---> METHSIM L:37 I:61 N:0 J:4 2679 [4.6775240898132324, 4.5770049095153809, 4.4555692672729492, 4.6577677726745605, 3.9754178524017334]
 ---> METHSIM L:37 I:62 N:1 J:4 13063 [4.7153120040893555, 4.7980365753173828, 4.5259051322937012, 4.5926632881164551, 4.1278433799743652]
 ---> METHSIM L:37 I:63 N:2 J:4 892 [4.75555419921875, 1.4406454563140869, 4.5679025650024414, 4.5526924133300781, 3.9754178524017334]
 ---> METHSIM L:37 I:64 N:3 J:4 749 [4.6186771392822266, 4.4623689651489258, 1.6163301467895508, 4.5717849731445312, 0.0]
RogueSPPush (0)
 ---> CLASSSIM L:38 I:65 N:0 J:1 3509 [4.3265603542327877, 3.7004831314086912, 2.939491558074951, 4.4999289989471434, 0.79508357048034672]
DroidKungfu (0)
 ---> METHSIM L:39 I:66 N:0 J:1 3206 [4.8414411544799805, 4.6483860015869141, 4.6914162635803223, 4.7337584495544434, 4.2597851753234863]
DroidDream (0)
 ---> METHSIM L:40 I:67 N:0 J:1 2116 [5.029909610748291, 4.4915299415588379, 4.9674844741821289, 4.9468302726745605, 0.0]
Ozotshielder.B (0)
 ---> METHSIM L:41 I:68 N:0 J:1 3456 [4.9664649963378906, 4.75701904296875, 4.7511677742004395, 4.822575569152832, 3.9754178524017334]

B5444E6C3C8376F7D2ECCB974F31C7C3 : loading apk.. loading dex.. M S C:23 CC:11 CMP:9 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
A8BEF827220187CB4D319929E341DA9B : loading apk.. loading dex.. M S C:22 CC:14 CMP:14 EL:437 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
CF7EF8C19DD5F94991A3A51CB87813EE : loading apk.. loading dex.. M S C:23 CC:13 CMP:2 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
35D0D19DA76F65C964E911E70963D106 : loading apk.. loading dex.. M S C:23 CC:11 CMP:12 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
67765FD5CAF1C876EC65DBB3D1CA8499 : loading apk.. loading dex.. M S C:23 CC:10 CMP:1 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
930BD275A0B2C3D35B0627A8A5BD8F60 : loading apk.. loading dex.. M S C:23 CC:13 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
664744B5F6AC5142B6BB82D82D01209C : loading apk.. loading dex.. M S C:22 CC:13 CMP:1 EL:437 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
725C8142D886DD754DC600B479FF6C63 : loading apk.. loading dex.. M S C:23 CC:15 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
8A0C4006157C766A08C313FA2143F1FE : loading apk.. loading dex.. M S C:23 CC:12 CMP:2 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
C0659BFE15FFA0A6AA587E17135D4313 : loading apk.. loading dex.. M S C:23 CC:12 CMP:1 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
9D5752F23F74246A5B78134AFA8E9483 : loading apk.. loading dex.. M S C:15 CC:10 CMP:24 EL:190 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
77511B4DF77B0BC04CBD7C58B7B3AF9E : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
2289293578008531755462E4E88AFC17 : loading apk.. loading dex.. M S C:23 CC:10 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
ACC4787D443005F9C5949AA53C8D0234 : loading apk.. loading dex.. M S C:23 CC:12 CMP:7 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
C8DA4C529FE7057F5E4B245D4CC0E277 : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
3284493FB26FFCE5A1C23AF6B2383B6D : loading apk.. loading dex.. M S C:23 CC:13 CMP:4 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
3E7DF00D4A31355954024680D919B218 : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
89B4194516F797B5E1B0D89C3C3EC96E : loading apk.. loading dex.. M S C:23 CC:10 CMP:6 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
DF2817C01B91DB9B421C35E081D0E115 : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
9783AA70949043BB7AAA205A31B42022 : loading apk.. loading dex.. M S C:23 CC:13 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
4C9AA7028BF91BEB91D65D74D181197B : loading apk.. loading dex.. M S C:23 CC:13 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
F89BDF006DFC2932A86C8B05E6EC8AAB : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
E0DD14720E4FEF02D29A4B027536D273 : loading apk.. loading dex.. M S C:23 CC:13 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
B1C866FF733A3CB89BC101878E41523E : loading apk.. loading dex.. M S C:17 CC:13 CMP:3 EL:248 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
B12FA61A08F85A37DD39DF22825D061F : loading apk.. loading dex.. M S C:23 CC:11 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
321461303E46B010D3D39017424C2A20 : loading apk.. loading dex.. M S C:23 CC:11 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
FA9959D172B427136E0069A6A222533E : loading apk.. loading dex.. M S C:22 CC:14 CMP:0 EL:437 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
205BB42B82529B6EF233FB05E6AAAD29 : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
8C2113EB8408D9ADBEF7E912054404F8 : loading apk.. loading dex.. M S C:23 CC:12 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
231696FFDF8D00C9D09AF7FB85B4991D : loading apk.. loading dex.. M S C:17 CC:11 CMP:2 EL:248 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
7877BCBBD731818EBEF21B03C369DB9F : loading apk.. loading dex.. M S C:22 CC:12 CMP:0 EL:437 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
90397D73405111BB3C5AD3C7A1858D0E : loading apk.. loading dex.. M S C:23 CC:10 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
8B693B938FEA7F9E3C3E402F30FD97B5 : loading apk.. loading dex.. M S C:23 CC:14 CMP:2 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
BE63349846165811DA4E3444C5D15DEA : loading apk.. loading dex.. M S C:23 CC:13 CMP:2 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
B402EAACD1323F2DFFB9B8B48E90CD00 : loading apk.. loading dex.. M S C:15 CC:9 CMP:0 EL:190 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
F553AF81E238FCDE1A22BC70BC28DF86 : loading apk.. loading dex.. M S C:22 CC:11 CMP:0 EL:452 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
0F182524C0FE8FF999BFA3D63C9A9E97 : loading apk.. loading dex.. M S C:23 CC:11 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
9731BBCA4F200F7E3572D0D5D093B27A : loading apk.. loading dex.. M S C:23 CC:14 CMP:0 EL:494 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
A478B7801DAE4779D73AA708511C26A5 : loading apk.. loading dex.. M S C:17 CC:11 CMP:19 EL:248 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder.C [[21, 0.27044025063514709]]
166CCE96E89FCFEC8B2669D8B19846A4 : loading apk.. loading dex.. M S C:23 CC:11 CMP:0 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]
543E9D86DD28005342A3313BDC588009 : loading apk.. loading dex.. M S C:18 CC:13 CMP:281 EL:295 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
AB2D97FE88BB7F4DE33C88795907F70E : loading apk.. loading dex.. M S C:27 CC:13 CMP:868 EL:708 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [62, 0.087818697094917297], [61, 0.2239382266998291], [64, 0.2215568870306015]]
97CA61C8497AE5E3FF5F853C7070E5C6 : loading apk.. loading dex.. M S C:17 CC:11 CMP:237 EL:263 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
08E4A73F0F352C3ACCC03EA9D4E9467F : loading apk.. loading dex.. M S C:13 CC:9 CMP:24 EL:130 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [61, 0.20094563066959381], [62, 0.150141641497612]]
CB7A5643B99E3DF2BBB25B6ABC13042C : loading apk.. loading dex.. M S C:16 CC:10 CMP:31 EL:196 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
6A19CB7915895B6A6A6AF542EF0382C5 : loading apk.. loading dex.. M S C:13 CC:11 CMP:32 EL:124 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
358781AAE89384857DB159FDB2493C6C : loading apk.. loading dex.. M S C:18 CC:8 CMP:317 EL:272 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [61, 0.20094563066959381], [62, 0.150141641497612]]
839C37F3A2C8D31561D28F619A2A712E : loading apk.. loading dex.. M S C:16 CC:11 CMP:36 EL:222 C:0 CC:0 CMP:0 EL:0 ----> Hongtoutou [[25, 0.14912280440330505]]
54FAD8426E03A05279223173EC7D2FE2 : loading apk.. loading dex.. M S C S C:20 CC:14 CMP:558 EL:344 C:12 CC:4 CMP:55 EL:144 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [62, 0.150141641497612]]
FF2CBCE5DC50F2554F866A88B11C8E8F : loading apk.. loading dex.. M S C:16 CC:10 CMP:250 EL:227 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
749B77ED464AAE7C8938012099BF5EB1 : loading apk.. loading dex.. M S C:15 CC:10 CMP:59 EL:178 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [62, 0.150141641497612], [61, 0.20094563066959381]]
F8A6F3DE5255AE3C6750C256559887C5 : loading apk.. loading dex.. M S C:15 CC:11 CMP:220 EL:177 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [61, 0.20094563066959381], [62, 0.150141641497612]]
5880E5891E00C4C5CCEBDEA7E2133402 : loading apk.. loading dex.. M S C:14 CC:10 CMP:73 EL:157 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [61, 0.20094563066959381], [62, 0.150141641497612]]
B9E392DEE83D9596DD72B2739486062F : loading apk.. loading dex.. M S C:15 CC:10 CMP:22 EL:167 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
4E26A200AB149819DCDCF273F5AB171A : loading apk.. loading dex.. M S C:14 CC:9 CMP:73 EL:139 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
8947EAE5C65DF02D9C538B12DDAF636F : loading apk.. loading dex.. M S C:23 CC:11 CMP:637 EL:485 C:0 CC:0 CMP:0 EL:0 ----> Hongtoutou [[25, 0.17543859779834747]]
714136CBCE1A7BC24351B41A92A7DD08 : loading apk.. loading dex.. M S C:25 CC:7 CMP:232 EL:575 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [61, 0.20094563066959381], [62, 0.150141641497612]]
025A55C1BCBD3BE2CA03AA314CE9A4C2 : loading apk.. loading dex.. M S C:18 CC:14 CMP:61 EL:265 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [61, 0.20094563066959381], [62, 0.150141641497612]]
8B12CCDC8A69CF2D6A7E6C00F698AAA6 : loading apk.. loading dex.. M S C:14 CC:11 CMP:6 EL:142 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [62, 0.150141641497612], [61, 0.20094563066959381]]
189D11C33EEE3076BE3EE20033F6B06E : loading apk.. loading dex.. M S C:19 CC:11 CMP:111 EL:324 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [62, 0.150141641497612], [61, 0.20094563066959381]]
8498984D8F9B7260FD032D6F0A2534AA : loading apk.. loading dex.. M S C:16 CC:8 CMP:71 EL:221 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
3374D6322542D6AEC9D319DF335215E5 : loading apk.. loading dex.. M S C:19 CC:8 CMP:218 EL:306 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [62, 0.150141641497612], [61, 0.20094563066959381]]
404FD6F9113870D1B6E63DCD23CFE206 : loading apk.. loading dex.. M S C:14 CC:11 CMP:17 EL:151 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [64, 0.2215568870306015], [62, 0.150141641497612], [61, 0.20094563066959381]]
178BA57AAC8FB2014CDA5D0BBC9FCC3D : loading apk.. loading dex.. M S C:13 CC:9 CMP:9 EL:121 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [61, 0.20094563066959381], [62, 0.150141641497612]]
5D27C7D0C5630F4C7A8B7A8F45512F09 : loading apk.. loading dex.. M S C:39 CC:13 CMP:579 EL:1529 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [61, 0.20094563066959381], [62, 0.150141641497612]]
0DA3484A20C85C0489FEA8F53316B53C : loading apk.. loading dex.. M S C:17 CC:11 CMP:266 EL:229 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[63, 0.14042553305625916], [62, 0.087818697094917297], [61, 0.2239382266998291], [64, 0.2215568870306015]]
EA80AE4C4A17E8608E0FC7D6E34BF37E : loading apk.. loading dex.. M S C:16 CC:11 CMP:6 EL:224 C:0 CC:0 CMP:0 EL:0 ----> Geinimi [[64, 0.2215568870306015], [63, 0.14042553305625916], [62, 0.150141641497612], [61, 0.20094563066959381]]
AECB7C76CB497401BE48459FF944F5FE : INVALID APK
951C8A2EFBE2ACAFEB351525D5BD52E2 : loading apk.. loading dex.. M S C S C:20 CC:12 CMP:1310 EL:376 C:15 CC:4 CMP:82 EL:232 B ----> None []
4B0A9F03E664C32143F57E4857F32E1B : loading apk.. loading dex.. M S C:14 CC:10 CMP:202 EL:142 C:0 CC:0 CMP:0 EL:0 ----> DroidDream [[67, 0.14367815852165222]]
AFD12639E21C1884D33737ABA0BC43EE : loading apk.. loading dex.. M S C S C:16 CC:10 CMP:576 EL:211 C:10 CC:4 CMP:106 EL:102 B ----> RageagainstTheCage [[2]]
30587D7E5AC828F8B1EAF476D4B19BD2 : loading apk.. loading dex.. M S C S C:18 CC:12 CMP:587 EL:270 C:9 CC:4 CMP:46 EL:88 B ----> RageagainstTheCage [[2]]
A3F63AA22A9698C1F54D5A2C2695943F : loading apk.. loading dex.. M S C:16 CC:12 CMP:234 EL:213 C:0 CC:0 CMP:0 EL:0 ----> DroidDream [[67, 0.25431033968925476]]
616A94FBBFB65D7B7C5A0E9AFB73E784 : loading apk.. loading dex.. M S C S C:33 CC:15 CMP:3023 EL:1063 C:17 CC:5 CMP:111 EL:309 B ----> None []
81614D2C1175EE32A6967D13630BE8A9 : loading apk.. loading dex.. M S C S C:20 CC:12 CMP:1018 EL:377 C:15 CC:4 CMP:51 EL:229 B ----> None []
29BECE78457A738FD530F8F844204D85 : loading apk.. loading dex.. M S C:16 CC:12 CMP:133 EL:203 C:0 CC:0 CMP:0 EL:0 ----> Pjapps [[9, 0.13931888341903687]]
8353CAD68F4D2B443B33BB2F32F2412D : loading apk.. loading dex.. M S C:14 CC:11 CMP:63 EL:144 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
82F5BF4509E35C3AE7172A0DD7C3ECF4 : loading apk.. loading dex.. M S C:45 CC:15 CMP:475 EL:2038 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
CAE2169F4706E8BE514D9967152590C4 : loading apk.. loading dex.. M S C:18 CC:13 CMP:0 EL:288 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
89BB300CC1BF0B27C582327588EA7377 : loading apk.. loading dex.. M S C:14 CC:8 CMP:88 EL:144 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
C05D4FF1A80F18BA9D8A86AFD88BC05D : loading apk.. loading dex.. M S C S C:21 CC:12 CMP:889 EL:393 C:10 CC:3 CMP:75 EL:98 ----> Pjapps.C [[49, 0.26719576120376587]]
59AD10B4C32771293F039B2DA58C3F64 : loading apk.. loading dex.. M S C:14 CC:11 CMP:0 EL:158 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
913756426B6D32C6041E438814A4AE76 : loading apk.. loading dex.. M S C:19 CC:8 CMP:0 EL:315 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
6679F1A9B897EB8DD9E293D81A4389F7 : loading apk.. loading dex.. M S C:18 CC:13 CMP:387 EL:284 C:0 CC:0 CMP:0 EL:0 ----> Pjapps [[9, 0.13931888341903687]]
774C829B9F7E477AEA2C1537F2AC887B : loading apk.. loading dex.. M S C:24 CC:10 CMP:181 EL:527 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
F40DEEBBBD15A0FDCAB0857B59D63F1A : loading apk.. loading dex.. M S C:16 CC:11 CMP:13 EL:200 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
9A065ACDA242887EA1D384DCA8E1F79E : loading apk.. loading dex.. M S C S C:26 CC:15 CMP:1107 EL:652 C:14 CC:4 CMP:70 EL:199 ----> Pjapps.C [[49, 0.19453376531600952]]
6404919B7BBA0661249974CFAA6D212F : loading apk.. loading dex.. M S C:34 CC:14 CMP:30 EL:1103 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
39EF06AD651C2ACC290C05E4D1129D9B : loading apk.. loading dex.. M S C:14 CC:10 CMP:14 EL:141 C:0 CC:0 CMP:0 EL:0 ----> Pjapps.B [[47, 0.17979197204113007]]
722DA6CDFA8BAC482C9C6BE105B0FF2A : loading apk.. loading dex.. M S C:16 CC:12 CMP:91 EL:207 C:0 CC:0 CMP:0 EL:0 ----> Pjapps [[9, 0.13931888341903687]]
DE759E9FDB3EC577D753FF240FC91A13 : loading apk.. loading dex.. M S C:30 CC:10 CMP:708 EL:890 C:0 CC:0 CMP:0 EL:0 ----> Pjapps [[9, 0.13931888341903687]]
43DC90E585CD7ED3B25A0ABDC484A538 : loading apk.. loading dex.. M S C:17 CC:10 CMP:28 EL:235 C:0 CC:0 CMP:0 EL:0 ----> YZHCSMS.B [[26, 0.15400411188602448]]
D2D6A1368ECA8FE6F7C7B984E047FBBB : loading apk.. loading dex.. M S C:17 CC:9 CMP:248 EL:235 C:0 CC:0 CMP:0 EL:0 ----> YZHCSMS.B [[26, 0.15400411188602448]]
24069021F25C1E699B5BC54DA38E7C7D : loading apk.. loading dex.. M S C S C:9 CC:8 CMP:150 EL:26 C:3 CC:3 CMP:8 EL:8 B ----> None []
5ADE65BF5B4B73A24FA0F7DE7315C9FF : loading apk.. loading dex.. M S C S C:26 CC:14 CMP:785 EL:618 C:15 CC:5 CMP:88 EL:218 B ----> None []
B6847521B548B806CF5E4F71B687EC26 : loading apk.. loading dex.. M S C S C:13 CC:11 CMP:834 EL:126 C:6 CC:4 CMP:39 EL:38 B ----> None []

This is the original classification

BASEBRIDGE (3)

YZHC (2)

ROOT EXPLOIT (7)
Except the two below maybe DroidDream variants (Thanks to Vesselin Bontchev for correction)

4B0A9F03E664C32143F57E4857F32E1B
A3F63AA22A9698C1F54D5A2C2695943F

PJAPPS (16)

GEINIMI (28)
except the two below that belong to Andrd family (Thanks to Vesselin Bontchev for correction)

8947EAE5C65DF02D9C538B12DDAF636F
839C37F3A2C8D31561D28F619A2A712E

KMIN (40)

0F182524C0FE8FF999BFA3D63C9A9E97
166CCE96E89FCFEC8B2669D8B19846A4
205BB42B82529B6EF233FB05E6AAAD29
2289293578008531755462E4E88AFC17
231696FFDF8D00C9D09AF7FB85B4991D
321461303E46B010D3D39017424C2A20
3284493FB26FFCE5A1C23AF6B2383B6D
35D0D19DA76F65C964E911E70963D106
3E7DF00D4A31355954024680D919B218
4C9AA7028BF91BEB91D65D74D181197B
664744B5F6AC5142B6BB82D82D01209C
67765FD5CAF1C876EC65DBB3D1CA8499
725C8142D886DD754DC600B479FF6C63
77511B4DF77B0BC04CBD7C58B7B3AF9E
7877BCBBD731818EBEF21B03C369DB9F
89B4194516F797B5E1B0D89C3C3EC96E
8A0C4006157C766A08C313FA2143F1FE
8B693B938FEA7F9E3C3E402F30FD97B5
8C2113EB8408D9ADBEF7E912054404F8
90397D73405111BB3C5AD3C7A1858D0E
930BD275A0B2C3D35B0627A8A5BD8F60
9731BBCA4F200F7E3572D0D5D093B27A
9783AA70949043BB7AAA205A31B42022
9D5752F23F74246A5B78134AFA8E9483
A478B7801DAE4779D73AA708511C26A5
A8BEF827220187CB4D319929E341DA9B
ACC4787D443005F9C5949AA53C8D0234
B12FA61A08F85A37DD39DF22825D061F
B1C866FF733A3CB89BC101878E41523E
B402EAACD1323F2DFFB9B8B48E90CD00
B5444E6C3C8376F7D2ECCB974F31C7C3
BE63349846165811DA4E3444C5D15DEA
C0659BFE15FFA0A6AA587E17135D4313
C8DA4C529FE7057F5E4B245D4CC0E277
CF7EF8C19DD5F94991A3A51CB87813EE
DF2817C01B91DB9B421C35E081D0E115
E0DD14720E4FEF02D29A4B027536D273
F553AF81E238FCDE1A22BC70BC28DF86
F89BDF006DFC2932A86C8B05E6EC8AAB
FA9959D172B427136E0069A6A222533E

3 comments:

AnonymousOctober 26, 2011 at 9:17 AM
Ahem, could you please provide some insight into Anthony Desnos' classification and why it is "better"? It looks more like a memory dump to me than as something sensible...
ReplyDelete
Replies
UnknownOctober 27, 2011 at 3:59 AM
Hi,

you have the malware and the detected signature (full debug) in the database.

Follow the link in the post to find more information about the signature.
ReplyDelete
Replies
AnonymousOctober 27, 2011 at 5:23 AM
I did follow the link to Androguard - but I am no wiser because of it.

So, there is this tool called Androguard, written in some difficult to understand language (Python?), which claims to have all kinds of magical "features", none of which is explained adequately. In addition, the few "signatures" listed on that site bear no resemblance to the "memory dump" above.

In fact, I have trouble even differentiating between the different entries in the "memory dump". For instance, is the first entry this:

GingerMaster (0 and 1)
---> METHSIM L:0 I:0 N:0 J:2 1045 [4.9593749046325684, 4.3729357719421387, 4.7183656692504883, 4.4228439331054688, 3.9754178524017334]
---> METHSIM L:0 I:1 N:1 J:2 1341 [4.9452362060546875, 4.7812762260437012, 4.7661762237548828, 4.5302424430847168, 3.9754178524017334]

How does this relate to the "gingermaster signature" listed on the Androguard site as

[ { "SAMPLE" : "apks/malwares/gingermaster/35bda16e09b2e789602f07c08e0ba2c45393a62c6e52aa081b5b45e2e766edcb" }, { "BASE" : "AndroidOS", "NAME" : "GingerMaster", "SIGNATURE" : [ { "TYPE" : "METHSIM", "CN" : "Lcom/igamepower/appmaster/GameService;", "MN" : "l", "D" : "()Lcom/igamepower/appmaster/aq;" }, { "TYPE" : "METHSIM", "CN" : "Lcom/igamepower/appmaster/GameService;", "MN" : "m", "D" : "()V" } ], "BF" : "0 and 1" } ]

and what the blazes do both mean?

Not to mention that Gingermaster is an exploit, not a particular piece of malware, and if you base malware classification on a "signature" extracted from the original proof-of-concept exploit app, you'll end up classifying in this "family" every single malware that uses the same exploit. In fact, I suspect that this is exactly what you are doing with several things classified as "Ozotshielder" - which I have no idea what it is, but the name implies that it might be some kind of code obfuscator.

Or is the whole beginning of the "memory dump", until the first empty line, some kind of debug output and the first "real" classification line is this:

B5444E6C3C8376F7D2ECCB974F31C7C3 : loading apk.. loading dex.. M S C:23 CC:11 CMP:9 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]

And how is AECB7C76CB497401BE48459FF944F5FE "invalid APK"? It seems perfectly valid to me - a ZIP file containing classes.dex with valid checksums and so on.

...

OK, assuming the stuff before the first empty line is some meaningless to me debug output, I wrote a small script that stripped all the garbage from from the "memory dump" and left only the MD5 of the sample and the name of the malware it was classified as, ending up with the following:

33 samples classified as "Ozotshielder"
7 samples classified as "Ozotshielder.C"
25 samples classified as "Geinimi"
2 samples classified as "Hongtoutou"
2 samples classified as "DroidDream"
2 samples classified as "RageagainstTheCage"
4 samples classified as "Pjapps"
10 samples classified as "Pjapps.B"
2 samples classified as "Pjapps.C"
2 samples classified as "YZHCSMS.B"
6 samples not classified as anything

In which case I am still left wondering how is this classification "better". It differs from Mila's only in the family names (Ozotshielder->Kmin, Hongtoutou->Adrd, RageagainstTheCage->Root Exploit), plus it doesn't classify as anything a few samples that Mila does.
ReplyDelete
Replies

Add comment