tag:blogger.com,1999:blog-5046096073918528715.post1404329722386395145..comments2024-02-02T00:26:03.637-08:00Comments on contagio mobile: Android Malware FakeTimer (via #OJCP)Milahttp://www.blogger.com/profile/09472209631979859691noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-5046096073918528715.post-48295028091073369112012-02-14T23:03:29.300-08:002012-02-14T23:03:29.300-08:00Does it change more than once a day? I missed the ...Does it change more than once a day? I missed the sample with MD5 2b609e4acfebbee57ecf6ddbfd8202d2. Today the sample there has MD5 A26DCDD898D495D8BC8F71BD4FB6F29C.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-14824965160783848422012-02-14T01:31:01.147-08:002012-02-14T01:31:01.147-08:00Today the sample is CHANGING again..
File name: ...Today the sample is CHANGING again.. <br /><br />File name: sp_k_test.apk<br />MD5: 2b609e4acfebbee57ecf6ddbfd8202d2<br />File size: 78.1 KB ( 79973 bytes )<br />File type: ZIP<br />Detection ratio: 9 / 43<br />Analysis date: 2012-02-14 09:02:41 UTC ( 0 分 ago ) <br />https://www.virustotal.com/file/8d9f6939db8f9b54e062403915174431008aa6c87a1803ff9faed072bb7620ee/analysis/1329210161/<br /><br />Download Proof:<br />Tue Feb 14 18:22:35 JST 2012<br /><br />----------------------------------------<br />http://www.14243444.com/appli02.php<br />----------------------------------------<br />GET /appli02.php HTTP/1.1<br />Host: www.14243444.com<br />User-Agent: Mozilla/5.0 (FreeBSD 8.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: ja,en-us;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 14 Feb 2012 08:59:44 GMT<br />Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.3.8 mod_antiloris/0.4<br />X-Powered-By: PHP/5.3.8<br />Content-Disposition: attachment; filename=sp/k_test.apk<br />Content-Length: 79973<br />Keep-Alive: timeout=10, max=100<br />Connection: Keep-Alive<br />Content-Type: application/vnd.android.package-archive<br /><br />----------------------------------------<br />http://14243444.com/appli02.php<br />----------------------------------------<br />GET /appli02.php HTTP/1.1<br />Host: 14243444.com<br />User-Agent: Mozilla/5.0 (FreeBSD 8.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: ja,en-us;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Cookie: PHPSESSID=a76c2607a7dd84d8764530ecc2c97c1a<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 14 Feb 2012 09:00:24 GMT<br />Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.3.8 mod_antiloris/0.4<br />X-Powered-By: PHP/5.3.8<br />Content-Disposition: attachment; filename=sp/k_test.apk<br />Content-Length: 79973<br />Keep-Alive: timeout=10, max=100<br />Connection: Keep-Alive<br />Content-Type: application/vnd.android.package-archive<br /><br />It is the same malware, same works...<br />It depends to ARIN now to shutdown this IP connection<br /><br />unixfreaxjpunixfreaxjphttps://www.blogger.com/profile/03820036912869056071noreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-62931949883394846182012-02-13T23:11:09.720-08:002012-02-13T23:11:09.720-08:00The password on the third sample doesn't seem ...The password on the third sample doesn't seem to be "infected". (However, I managed to get the sample from the original site.)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-88788171971285777512012-02-13T04:09:32.490-08:002012-02-13T04:09:32.490-08:00Malware Files in "/sp"Folder.
"atm...Malware Files in "/sp"Folder.<br /><br />"atm.apk"<br />https://www.virustotal.com/url/5183a522fdcd5c8de1611c26e25229c83bd158aa80c79e4a209f39c18d9bfcad/analysis/1329132131/<br />https://www.virustotal.com/file/ce32e65cb87af69ddcecc31d8bc9487168da4fa65f42e14526f79c6be72f07ee/analysis/1329132132/<br /><br />"btm.apk"<br />https://www.virustotal.com/url/618d93244888d5cab661c1d3eb1586c0aedf9aa9a2e6e407c307f34277cba43a/analysis/1329134446/<br />https://www.virustotal.com/file/eaaadaf6d51487057fb2709cabfca742cf84b97dc5583d3c280175c8ee2d23a2/analysis/1329134447/<br /><br />"mtm.apk"<br />https://www.virustotal.com/url/e2e22c15b5a4c0235d0d49ed13891dda4b31bd29c9a1a43fa985396acbe21778/analysis/1329134540/<br />https://www.virustotal.com/file/c362fd1150860364930a643993fa0e2c63ca0dd6892b13678937169812099776/analysis/1329134541/<br /><br />"ntm.apk"<br />https://www.virustotal.com/url/c3f26e266756ea277aeda532b9e6b4b36ce6d8602fd26b943488c4f63091170c/analysis/1329134693/<br />https://www.virustotal.com/file/2fbc32387f9b5c5a8678af3a76c0630ba4d04fd520b21782642a517794063f05/analysis/1329134694/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-73899924415263537692012-02-13T02:15:20.237-08:002012-02-13T02:15:20.237-08:00The malware site was JUST changing the APK install...The malware site was JUST changing the APK installer to fool/bypass the AV scanners:<br /><br />File name: sp_btm.apk<br />File size: 78.1 KB ( 79935 bytes )<br />MD5: cf9ba4996531d40402efe268c7efda91<br />File type: ZIP<br />Detection ratio: 8 / 43<br />Analysis date: 2012-02-13 09:15:31 UTC<br />https://www.virustotal.com/file/eaaadaf6d51487057fb2709cabfca742cf84b97dc5583d3c280175c8ee2d23a2/analysis/1329127575/unixfreaxjphttps://www.blogger.com/profile/03820036912869056071noreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-70183106432464644112012-02-12T21:52:16.222-08:002012-02-12T21:52:16.222-08:00For your conveniences:
File name: sp_ntm.apk
MD5...For your conveniences:<br /><br />File name: sp_ntm.apk<br />MD5: 44d31414a63a090e5a54670c33e0d1bc<br />File size: 78.2 KB ( 80060 bytes )<br />File type: ZIP<br />Detection ratio: 4 / 43<br />VT Analysis date: 2012-02-10 06:20:41 UTC<br /><br /><b>File name: sp_mtm.apk</b><br />MD5: c9c7ae465d712eb79976b34b0f76f1db<br />File size: 78.1 KB ( 79930 bytes )<br />File type: ZIP<br />Detection ratio: 12 / 43<br />VT Analysis date: 2012-02-13 05:40:07 UTCunixfreaxjphttps://www.blogger.com/profile/03820036912869056071noreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-66826216142479252242012-02-12T21:34:18.530-08:002012-02-12T21:34:18.530-08:00The apk downloader changed names at the first repo...The apk downloader changed names at the first report.<br />The both files are having same ELF binaries, same logic, same adult sites & same maker.<br />You may see the both detection were mentioned in my site from tghe beginning.<br />Just paste the below japanese word:<br /><br />■オンラインスキャン結果↓ at the below site, and you will see both samples<br />http://unixfreaxjp.blogspot.com/2012/02/ocjp-010.html<br /><br />rgdsunixfreaxjphttps://www.blogger.com/profile/03820036912869056071noreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-66848718578025344042012-02-11T14:12:32.281-08:002012-02-11T14:12:32.281-08:00Current file name is "mtm.apk".
https:/...Current file name is "mtm.apk".<br /><br />https://www.virustotal.com/url/4505afc8d4090db99b0cb65371d88a9947776a7ed93cf6437e929aab34ffbde7/analysis/1328876036/<br />https://www.virustotal.com/file/748cfa75ba9a7b9d8fd9673e425d504054d71fb9ce7d732656d1ce8dbe5d6a3b/analysis/1328876037/<br />https://www.virustotal.com/file/748cfa75ba9a7b9d8fd9673e425d504054d71fb9ce7d732656d1ce8dbe5d6a3b/analysis/<br />SHA256: 748cfa75ba9a7b9d8fd9673e425d504054d71fb9ce7d732656d1ce8dbe5d6a3b<br />SHA1: 52fb9c62f1d319d1cad700779301536e6993eecc<br />MD5: c9c7ae465d712eb79976b34b0f76f1db<br />File size: 78.1 KB ( 79930 bytes )<br />Detection ratio: 12 / 43<br /><br />Thank YouAnonymousnoreply@blogger.com