A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16206  by nex
 Mon Oct 22, 2012 6:33 am
hnpl2011 wrote:I Looking for two Android.Sumzand:
384fe8649c6e11083c19fc25fe9fcd1f
6850fa8f9495d96e7355cca7f9dee89a
Thank :)
Attached.
Attachments
(64.4 KiB) Downloaded 129 times
 #17231  by Xylitol
 Mon Dec 17, 2012 9:30 am
Attachments
infected
(508.21 KiB) Downloaded 116 times
infected
(656.21 KiB) Downloaded 126 times
 #17738  by vennemars-alex
 Thu Jan 17, 2013 12:38 pm
Sorry for posting a new request, but the old one wasn't replied correctly

I'm looking for a sample of
Trojan: >>Android<< .FinFisher

Please NO Windows version

Thanks
 #18583  by Squirl
 Tue Mar 19, 2013 8:48 am
Currently being served up in a spam campaign, subject line of "Hot News":

http://www.infosecurity-magazine.com/vi ... um=twitter

Example URLs:

hxxp://www.ceipjuandelacosa.es/xbnawwq/yqvjsycp/qlzgqergbpcrf
hxxp://www.alive-jugo.de/txoc/ohbwwhrdifcs/wvvennwrhkhru
hxxp://www.foto-saul.de/pjppdf/pxpyoicoyas/jpkhlsvjtmto
hxxp://akgunhakan.com/xirbgex/purjevbfzyrcchm?pappeuykctexb

URLs are the start of a 3 tier redirect chain, which will redirect to hxxp://androidcloudsecurityupdate.su if an Android UAS is detected.
The next two redirects follow if the correct referrer and UAS detected:
hxxp://androidcloudsecurityupdate.su/fixup.php
hxxp://androidcloudsecurityupdate.su/fixup2.php <-- serves security.update.apk

If a non-Android UAS is used, it simply serves up generic web spam.

Decrypted config file - C2 servers:
24377710093445.su:443
tazmanski.ru:443

20/45 https://www.virustotal.com/en/file/2df2 ... /analysis/
Attachments
infected
(13 KiB) Downloaded 108 times
 #18791  by leeno
 Mon Apr 01, 2013 12:09 pm
Do you have the complete network trace in pcap format . Would appreciate help on the pcap trace for cnc communication described by you
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 11