Monday, February 4, 2013

Android/Windows Spy:Android/Ssucl - DroidCleaner and Superclean.


Research: Kaspersky: Mobile attacks  - Android with Windows malware downloads



File: smart.apps.superclean-1.apk
Size: 502441
MD5:  2529085824C55DBBAED0B86EDE7B3C60

File: smart.apps.droidcleaner-1.apk
Size: 310274
MD5:  C5A2D14BC52F109A06641C1F15E90985


File: smart.apps.droidcleaner-1.apk 
Size: 330984
MD5:  123478A70219D24A5E5A40074B8775BA


File: SuperClean-11.apk 
Size: 528630
MD5:  B0C28334373332D4677C01BD48EED431


Download 
android files listed above plus




from http://claco.hopto.org 


    Controller.exe
    svchost.exe

plus from claco.kicks-ass.org  

    Extra_Fotos.zip
    Kst.exe
    pwd.exe   



Kaspersky Lab:


"the malware downloads three files from the URL specified at the beginning of the class. The following files are downloaded:
autorun.inf,
folder.ico,
svchosts.exe."

===========================================================================
The dex files show that the url is http://claco.hopto.org  ( currently 404 )

Stopbadware website actually has a record of files that were hosted on this webiste. The information is below


2012-11-06 03:09:34 http://claco.hopto.org/svchosts.exe 1DB6FCF88ABDA6C0EA74420EB0897735 64.120.202.189 US MSIL/Autorun.Agent.CE worm
2012-09-22 08:51:34 http://claco.hopto.org/Controller.exe 3E5CA5C7E8FF146051DC82FBF8DD6CC6 64.120.202.189 US MSIL/Autorun.Agent.CE worm
===========================================================================
svchosts.exe and Controller.exe attempt to connect to  claco.kicks-ass.org  

Stopbadware lists these files that were hosted on claco.kicks-ass.org


2012-03-21 18:21:19 http://claco.kicks-ass.org/DCS0001.zip F007CD6145CDB792FCDFF8C5C90F933C 173.254.233.126 US Start.exe <<< TRKazy.JZ

2012-03-21 18:21:19 http://claco.kicks-ass.org/Extra_Fotos.zip F007CD6145CDB792FCDFF8C5C90F933C 173.254.233.126 US Start.exe <<< TRKazy.JZ
2012-03-21 18:10:01 http://claco.kicks-ass.org/Kst.exe CB7975248B2E298D952214B492778098 173.254.233.126 US Trojan.Generic.7281784
2012-03-21 18:07:07 http://claco.kicks-ass.org/pwd.exe 3F40A7ED3A5EE04BB43D43BD94823E72 173.254.233.126 US W32Pwstool.E









6 comments:

  1. password does not follow the normal syntax

    ReplyDelete
    Replies
    1. "infected" as password still does not work...

      Delete
    2. it is not infected. Email if you need it.
      thx

      Delete
  2. should i use infected as password

    ReplyDelete
    Replies
    1. no. Email if you want the password

      Delete