Research: Symantec: Windows Malware Attempts to Infect Android Devices
Droidpak
Dropper A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
Fakebank.B/ Gepew.A
0D28FA54F9C0D41801E8FB5A7B0433DD
792BBB3DDC46E3D0E640D32977434ACA
4021A1E00B3ABEE730994F1EE17219B4
Size: 230785
Download Droidpak (exe and dll) and pcap
Download Fakebank.B/Gepew.A
Droidpak - Windows malware that downloads Fakebank
The iconfig.txt file is not present on the C2 server so the information is limited
Dropper
A398322586356ADD2CE43E3580CA272F sbayAYG51.exe
Dropped DLL 295BC2CD4A144E53229EF477BF2F0B59 flashmx32.xtl
C:\Program Files\Capture\logs\deleted_files\C\WINDOWS\CrainingApkConfig\DWORD.sn
C:\WINDOWS\system32\flashmx32.xtl
C:\WINDOWS\CrainingApkConfig\down.log
C:\WINDOWS\CrainingApkConfig\iconfig.txt
C:\WINDOWS\CrainingApkConfig\您正在搜索的页面可能已经删除、更名或暂时不可用。(translates: The page you are looking for might have been removed, renamed or is temporarily unavailable.)
Traffic (404 on c2) - Download pcap with the Windows droidpak binaries above
iconfig.txt (not available, sorry)
GET /iconfig.txt HTTP/1.1User-Agent: Mozilla/4.0 (compatible)Host: xia2.dyndns-web.comCache-Control: no-cache
HTTP/1.1 404 Not FoundContent-Length: 1308Content-Type: text/htmlServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETDate: Tue, 28 Jan 2014 12:55:25 GMT
xia2.dyndns-web.com
WHOIS Source: APNIC
IP Address: 103.242.134.136Country: Hong Kong
Network Name: HJEATC-CN
Owner Name: No.9-F, CaiFuDaSha, No.396 Heping Road
From IP: 103.242.132.0
To IP: 103.242.135.255
Allocated: Yes
Contact Name: Hebei Jiateng Electronics and Technology CoLtd
Address: No.9-F, CaiFuDaSha, No.396 Heping Road, Hanshan District, Handan Hebei 056001
Email: abuse@hostshare.cn
Abuse Email: abuse@hostshare.cn
Phone: +86 18973306525
Fax: +86 18973306525
Droidpak
EXE
SHA256: e9565a756e0c3780220ce1776a290bf22bb0b4de387b4da9ca7d4b8c1a620a58
Antivirus Result Update
AVG Downloader.Generic13.BUPO.dropper 20140127
Ad-Aware Gen:Trojan.Heur.RP.fCW@aSJeHikj 20140127
AhnLab-V3 Trojan/Win32.Agent 20140127
AntiVir TR/Crypt.XPACK.Gen 20140127
Antiy-AVL Backdoor/Win32.Generic 20140127
Avast Win32:Malware-gen 20140127
BitDefender Gen:Trojan.Heur.RP.fCW@aSJeHikj 20140127
CAT-QuickHeal Trojan.Sisproc 20140127
Commtouch W32/Backdoor.GQFG-3830 20140127
Comodo TrojWare.Win32.Trojan.XPACK.Gen 20140127
DrWeb Trojan.Siggen6.3736 20140127
ESET-NOD32 a variant of Win32/TrojanDownloader.Agent.AGK 20140127
Emsisoft Gen:Trojan.Heur.RP.fCW@aSJeHikj (B) 20140127
F-Secure Gen:Trojan.Heur.RP.fCW@aSJeHikj 20140127
Fortinet W32/BackDoor.VX!tr 20140127
GData Gen:Trojan.Heur.RP.fCW@aSJeHikj 20140127
Ikarus Trojan.Win32.Spy 20140127
Kaspersky HEUR:Backdoor.Win32.Generic 20140127
Malwarebytes Trojan.Agent.ED 20140127
McAfee RDN/Generic BackDoor!vx 20140127
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J!83 20140127
MicroWorld-eScan Gen:Trojan.Heur.RP.fCW@aSJeHikj 20140127
Microsoft Trojan:Win32/Sisproc 20140127
Norman Troj_Generic.SFFTD 20140127
Panda Trj/CI.A 20140127
Qihoo-360 Win32/Backdoor.d55 20140123
Sophos Mal/Generic-S 20140127
Symantec Trojan.Droidpak 20140127
TrendMicro TROJ_GEN.R01TC0CA114 20140127
TrendMicro-HouseCall TROJ_GEN.R01TC0CA114 20140127
VBA32 BScope.P2P-Worm.Palevo 20140127
VIPRE VirTool.Win32.Obfuscator.XZ (v) 20140127
ViRobot Dropper.S.Agent.82432.H 20140127
nProtect Trojan/W32.Agent.82432.YO 20140127
----------------------
DLL
VirusTotal
SHA256: b0608aa36b192bd9478d4a4cfce13b9353575818b3ca744f3e082b991023416d
File name: vti-rescan
Detection ratio: 28 / 50
Analysis date: 2014-01-27 20:38:58 UTC ( 16 hours, 43 minutes ago )
AVG Downloader.Generic13.BUPO 20140127
Ad-Aware Trojan.Generic.10243270 20140127
Agnitum Packed/PECompact 20140127
AhnLab-V3 Trojan/Win32.Agent 20140127
Avast Win32:Malware-gen 20140127
BitDefender Trojan.Generic.10243270 20140127
DrWeb Trojan.Apkloader.1 20140127
ESET-NOD32 a variant of Win32/TrojanDownloader.Agent.AGK 20140127
Emsisoft Trojan.Generic.10243270 (B) 20140127
F-Secure Trojan.Generic.10243270 20140127
Fortinet W32/PdfExDr.B 20140127
GData Trojan.Generic.10243270 20140127
Ikarus Trojan.SuspectCRC 20140127
K7AntiVirus Trojan-Downloader ( 00493b121 ) 20140127
K7GW Trojan-Downloader ( 00493b121 ) 20140127
McAfee Artemis!295BC2CD4A14 20140127
McAfee-GW-Edition Artemis!295BC2CD4A14 20140127
MicroWorld-eScan Trojan.Generic.10243270 20140127
NANO-Antivirus Trojan.Win32.Agent.cssrmc 20140127
Norman Troj_Generic.SFFTD 20140127
Panda Trj/CI.A 20140127
Sophos Mal/PdfExDr-B 20140127
Symantec Trojan.Droidpak 20140127
TrendMicro TROJ_GEN.R01TC0EAP14 20140127
TrendMicro-HouseCall TROJ_GEN.R01TC0EAP14 20140127
VIPRE Trojan.Win32.Generic!BT 20140127
ViRobot Trojan.Win32.S.Agent.34304.AR 20140127
nProtect Trojan/W32.Agent.34304.RG 20140127
----------------------
Fakebank.B
SHA256: 0840925753fbc8c68938090e5954ed289f6525cd29d8cf371a92d0839dcb8133
File name: vti-rescan
Detection ratio: 27 / 50
Analysis date: 2014-01-28 12:19:55 UTC ( 27 minutes ago )
Antivirus Result Update
AVG Android/SpyBanker 20140128
Ad-Aware Android.Trojan.Gepew.A 20140128
AntiVir Android/Spy.Gepew.A.Gen 20140128
Antiy-AVL Trojan/AndroidOS.Gepew 20140128
Avast Android:AgentSpy-A [Trj] 20140128
Baidu-International Trojan.AndroidOS.Gepew.ALX 20140128
BitDefender Android.Trojan.Gepew.A 20140128
Bkav MW.Clod2fb.Trojan.ed3d 20140125
CAT-QuickHeal Android.Gepew.Accb6 20140128
Commtouch AndroidOS/GenBl.4021A1E0!Olympus 20140128
Comodo UnclassifiedMalware 20140128
DrWeb Android.Spy.40.origin 20140128
ESET-NOD32 a variant of Android/Spy.Agent.AA 20140128
Emsisoft Android.Trojan.Gepew.A (B) 20140128
F-Secure Trojan-Spy:Android/Smforw.H 20140128
Fortinet Android/FakeKRB.G 20140128
GData Android.Trojan.Gepew.A 20140128
Ikarus Spy.AndroidOS 20140128
Kaspersky HEUR:Trojan-Spy.AndroidOS.Gepew.a 20140128
Kingsoft Android.Troj.hh_FakeADT.a.(kcloud) 20130829
McAfee Artemis!4021A1E00B3A 20140128
McAfee-GW-Edition Artemis!4021A1E00B3A 20140128
MicroWorld-eScan Android.Trojan.Gepew.A 20140128
Sophos Andr/FakeKRB-G 20140128
TotalDefense AndroidOS/Tnega.IUFKTGC 20140128
TrendMicro-HouseCall TROJ_GEN.F47V1210 20140128
VIPRE Trojan.AndroidOS.Generic.A 20140128
No comments:
Post a Comment