2017-01-13 - ANDROID MALWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-01-13-Android-malware-traffic.pcap.zip   880 kB (880,257 bytes)

• 2017-01-13-Android-malware-traffic.pcap   (931,376 bytes)

• 2017-01-13-Android-malware-sample.zip   742.8 kB (742,792 bytes)

• 1484347877_flash.apk   (805,529 bytes)

NOTES:

• Thanks to @Pois0nEy3 for tweeting about the Android malware used for this blog entry.
• I don't have the context for how people would get to the link, other than what's in the tweet from @Pois0nEy3.
• I used an old Samsung Galaxy S4 that's been wiped and no longer has a SIM card.  The phone information in the pcap has been edited to disguise any sensitive data (IMEI, IMSI, phone number, etc).

2017-01-14 UPDATE:

• @kevinperlow emailed me further analysis of the APK file.  See the UPDATE section near the end of this blog post.

 

Shown above:  Tweet from @Pois0nEy3.

 

SCREENSHOTS FROM THE ANDROID PHONE

Shown above:  This Android app sure asks for a lot of permissions...

 

Shown above:  Activate device administrator?  Sure thing!

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 114.200.199[.]26 port 80 - mnyou[.]co[.]kr - GET /test/
• 114.200.199[.]26 port 443 - www.mnyou[.]co[.]kr - HTTPS/TLS/SSL traffic
• 220.141.161[.]198 port 80 - goodidea16888[.]com - POST /appHome//servlet/UploadMacf/
• 220.141.161[.]198 port 80 - goodidea16888[.]com - POST /appHome//servlet/GetMessage
• 220.141.161[.]198 port 80 - goodidea16888[.]com - POST /appHome//servlet/OnLine/

 

Shown above:  The initial HTTP request redirects to an HTTPS URL.

 

Shown above:  Callback traffic (1 of 3).

 

Shown above:  Callback traffic (2 of 3).

 

Shown above:  Callback traffic (2 of 3).

 

FILE HASHES

THE APK FILE:

• SHA256 hash: cfd23a2b68910fb9230262dfb9e55f320300630aafe2f1e2df3f2b1207713f23
  File name:  1484347877_flash.apk
  File size:  805,529 bytes

 

ALERTS

Shown above:  Using tcpreplay in Security Onion to veiw the alerts on Sguil using Suricata and the Emerging Threats Pro (ETPRO) ruleset.

 

UPDATE

From @kevinperlow on 2017-01-14:

So this looks like a banking trojan targeting Korean banks.  The IP address is the same as one that appears in a Trend Micro report from two years ago, but I can't make a solid connection beyond that.

There's some Chinese text (unescaped in unicode) in there as well, so possible Chinese authors (and of course a possible false flag).  Other notable thing is the app also looks like it can upload files to the C2.

 

Note:  Left-click on the above image for a full-size view.

 

Click here to return to the main page.