Wednesday, January 29, 2014

Android AVPass

Research: Baidu Security Labs

Sample Credit: Tom:Pan

Size: 203000
MD5:  CCC01FD6D875B95E2AF5F270AAF8E842

Download. Email me if you need the password.

Android Airpush, /StopSMS.B, Minimob

  Sample credit Tachion

  08061663E638B5AC1D780CAACBE9FAD8 GlamorousSmoke.apk
    2C3B92FFE8123611AE9D9BED000C99F7 3dtimeclockticks.apk
    4FD1194F8127439609319CDBE244C0A7 _BlueArt.apk
    58E73A03025BA95337C952223F18F479 _lordssacredheavenlycross.apk
    8F7A41A921FC15F4FD47A33E476D7B3B SkullLighter.apk
    CE7B9B2242A71BBEAC0B2839B1063013 NoiseDetectorNonG.apk
    D67A07E3DE88C0130420588FD158B967 eyeseeyouSAMSUNG.apk
    DE5BFA8715DAC2E29E206C19CA98F2F4 JingleBellNonG.apk
    FB9FEFFB1FEF13C4A5E42ACE20183912 SaveTenDollar.apk

 Download all. Email me if you need the password.

Tuesday, January 28, 2014

Windows Droidpak and Android Fakebank.B / Gepew.A

Research: Symantec: Windows Malware Attempts to Infect Android Devices

Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl

Fakebank.B/ Gepew.A
Size: 230785

Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A

Droidpak - Windows malware that downloads Fakebank

The iconfig.txt file is not present on the C2 server so the information is limited

A398322586356ADD2CE43E3580CA272F sbayAYG51.exe

Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)

Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above

iconfig.txt (not available, sorry)

GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
IP Address:      Hong Kong
Network Name: HJEATC-CN
Owner Name:   No.9-F, CaiFuDaSha, No.396 Heping Road
From IP:
To IP:
Allocated:    Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address:      No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Abuse Email:
Phone:        +86 18973306525
Fax:          +86 18973306525

Android Airpush - monetization, ads

Size: 5972931
MD5:  2EED7318CA564A909E75AD616CAD5CDF

Friday, January 17, 2014

Android Oldboot / Mouabad.s

MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 ( = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 ( = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:
“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang

Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 

Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)

Download all the listed samples (new link)