Research: Symantec:
Windows Malware Attempts to Infect Android Devices
Droidpak
Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
Fakebank.B/ Gepew.A
0D28FA54F9C0D41801E8FB5A7B0433DD
792BBB3DDC46E3D0E640D32977434ACA
4021A1E00B3ABEE730994F1EE17219B4
Size: 230785
Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A
Droidpak - Windows malware that downloads Fakebank
The iconfig.txt file is not present on the C2 server so the information is limited
Dropper
A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\DWORD.sn
C:\WINDOWS\system32\flashmx32.xtl
C:\WINDOWS\CrainingApkConfig\down.log
C:\WINDOWS\CrainingApkConfig\iconfig.txt
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)
Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above
iconfig.txt (not available, sorry)
GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
xia2.dyndns-web.com
WHOIS Source: APNIC
IP Address: 103.242.134.136Country: Hong Kong
Network Name: HJEATC-CN
Owner Name: No.9-F, CaiFuDaSha, No.396 Heping Road
From IP: 103.242.132.0
To IP: 103.242.135.255
Allocated: Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address: No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Email: abuse@hostshare.cn
Abuse Email: abuse@hostshare.cn
Phone: +86 18973306525
Fax: +86 18973306525
