TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究・参照ログ

Minecraft PEのスキンアプリに偽装したマルウェア、Google Playストアで発見

f:id:tanigawa:20171022075134j:plain
One of the malicious apps posing as a skin app for Minecraft PE
出典: https://www.symantec.com/connect/fr/blogs/android-malware-google-play-adds-devices-botnet-and-performs-ddos-attacks


【概要】

マルウェア

  • Sockbot


【ニュース】

Minecraft PEのスキンアプリに偽装したマルウェアGoogle Playストアで発見 (ITmedia, 2017/10/20 09:04)
問題のアプリはMinecraft PEのキャラクターの外見を変更できるとうたい、バックグラウンドで高度な攻撃機能を実装していた
http://www.itmedia.co.jp/news/articles/1710/20/news060.html

【ブログ】

Android malware on Google Play adds devices to botnet (Symantec, 2017/10/18)
https://www.symantec.com/connect/fr/blogs/android-malware-google-play-adds-devices-botnet-and-performs-ddos-attacks

◆Sockbot Android malware discovered in eight popular apps on Google Play (BGR, 2017/10/19 16:42)
http://bgr.com/2017/10/19/android-sockbot-malware-google-play-minecraft-apps/

◆More trouble in Google Play land (MalwareBytes, 2017/10/20)
https://blog.malwarebytes.com/cybercrime/2017/10/more-trouble-in-google-play-land/


【インディケータ情報】

マルウェア情報(c9ca73de0f766607c9c499af2ecf98fb3cbb17b99380a976739f8459d9102f68)

MD5 d72ba66106842b141d8f0a929a061259
SHA1 be72c4880a01cb02f85158d3d9aa9aea1457b477
SHA256 c9ca73de0f766607c9c499af2ecf98fb3cbb17b99380a976739f8459d9102f68
SHA512
SSDEEP 98304:wCEJmmY1n3ls1caSZeu0FR6h4kdsxe04E:wdI93lmRSQJ043n4E
authentihash
imphash
File Size 8.45 MB
File Type Android
コンパイル日時
Debug Path
File Name
File Path
生成ファイル
特徴
参考情報 https://www.virustotal.com/#/file/c9ca73de0f766607c9c499af2ecf98fb3cbb17b99380a976739f8459d9102f68/detection

このマルウェアには以下の文字列が含まれる(要 hxxp -> http変換)

  • hxxp://
  • hxxp://adeco.adecosystems.com:1628/appwall?type=app
  • hxxp://adeco.adecosystems.com:1628/dialog
  • hxxp://adeco.adecosystems.com:1628/install
  • hxxp://api.vungle.com/api/v4/
  • hxxp://avr2.smaato.net/report2?
  • hxxp://data.flurry.com/aap.do
  • hxxp://dd.adecosystems.com:2000/dd/counter
  • hxxp://i.xx.openx.com/ef3/ef31c13c898edcdfc73feb3c0193b64bcfa70082/754/7544eb4e2c8cb99b125559b8846ce948_2.jpeg
  • hxxp://market.android.com/
  • hxxp://market.android.com/details
  • hxxp://mediation.adnxs.com
  • hxxp://mediation.adnxs.com/mob?
  • hxxp://play.google.com/store/apps/details?id=
  • hxxp://smaato-android-sdk.s3.amazonaws.com/x.png
  • hxxp://soma.smaato.net/oapi/reqAd.jsp?
  • hxxp://www.example.com
  • hxxp://www.google.com
  • hxxp://www.multiappmc.com/promo/cros.json
  • hxxp://www.smaato.com
  • hxxp://xmlpull.org/v1/doc/features.html#process-namespaces
  • hxxps://
  • hxxps://ad6.%s.liverail.com/
  • hxxps://ad6.liverail.com/
  • hxxps://ads.nexage.com
  • hxxps://analytics.mopub.com/i/jot/exchange_client_event
  • hxxps://androidads23.adcolony.com/configure
  • hxxps://androidquery.appspot.com
  • hxxps://app.getsentry.com:443
  • hxxps://app.getsentry.com:443/api/43633/store/
  • hxxps://config.unityads.unity3d.com/webview/
  • hxxps://csi.gstatic.com/csi
  • hxxps://data.flurry.com/aap.do
  • hxxps://data.flurry.com/pcr.do
  • hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/mraid/v2/mraid_app_banner.js
  • hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/mraid/v2/mraid_app_expanded_banner.js
  • hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/mraid/v2/mraid_app_interstitial.js
  • hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/native_ads.html
  • hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/native_video_ads.html
  • hxxps://googleads.g.doubleclick.net/mads/static/mad/sdk/native/sdk-core-v40.html
  • hxxps://graph.%s.facebook.com/network_ads_common/
  • hxxps://graph.facebook.com/network_ads_common/
  • hxxps://ingest.vungle.com/
  • hxxps://live.chartboost.com
  • hxxps://pagead2.googlesyndication.com/pagead/gen_204
  • hxxps://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
  • hxxps://play.google.com/
  • hxxps://play.google.com/store/apps/details?id=
  • hxxps://plus.google.com/
  • hxxps://proton.flurry.com/sdk/v1/config
  • hxxps://sdk01.adecosystems.net:8890/beacon
  • hxxps://sdk02.adecosystems.net:8890/beacon
  • hxxps://support.google.com/dfp_premium/answer/7160685#push
  • hxxps://twitter.com/%s/status/%s
  • hxxps://www.%s.facebook.com
  • hxxps://www.facebook.com/
  • hxxps://www.google.com/dfp/debugSignals
  • hxxps://www.google.com/dfp/inAppPreview
  • hxxps://www.google.com/dfp/linkDevice
  • hxxps://www.google.com/dfp/sendDebugData
  • hxxps://www.googleapis.com/auth/appstate
  • hxxps://www.googleapis.com/auth/datastoremobile
  • hxxps://www.googleapis.com/auth/drive.appdata
  • hxxps://www.googleapis.com/auth/drive.file
  • hxxps://www.googleapis.com/auth/fitness.activity.read
  • hxxps://www.googleapis.com/auth/fitness.activity.write
  • hxxps://www.googleapis.com/auth/fitness.body.read
  • hxxps://www.googleapis.com/auth/fitness.body.write
  • hxxps://www.googleapis.com/auth/fitness.location.read
  • hxxps://www.googleapis.com/auth/fitness.location.write
  • hxxps://www.googleapis.com/auth/fitness.nutrition.read
  • hxxps://www.googleapis.com/auth/fitness.nutrition.write
  • hxxps://www.googleapis.com/auth/games
  • hxxps://www.googleapis.com/auth/plus.login
  • hxxps://www.googleapis.com/auth/plus.me
  • hxxps://www.mopub.com/optout
  • hxxps://www.mopub.com/optout/
  • hxxps://www.vungle.com/privacy/


マルウェア情報(https://www.virustotal.com/#/file/5793be5a524dce808bac8259fd484146aad71f691e0760185f009b8b54d5691e/detection)

MD5 9880ed8adfbab106dad83562a9c410a8
SHA1 e281826b4e0b1bdd94309a9d561da4187babad02
SHA256
SHA512
SSDEEP 196608:EHRQ7fLbzmsKUsgkhgJXw7mJwKxSgZRZnJbP4sQdgEw:yQ7fLbRKzfy60ZxSYnJTnQqp
authentihash
imphash
File Size 8.5 MB
File Type
コンパイル日時
Debug Path
File Name Assassins skins for Minecraft_v1.2_apkpure.com.apk
File Path
生成ファイル
特徴
参考情報 https://www.virustotal.com/#/file/5793be5a524dce808bac8259fd484146aad71f691e0760185f009b8b54d5691e/details

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2020