e77dcabf3050f075d07851a0f185a7ca43800b672d83943b87a60286cf095d37[.]zip[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

e77dcabf3050f075d07851a0f185a7ca43800b672d83943b87a60286cf095d37.zip.zip
Size

22.1MB
MD5

45e03738964056a1d4c605c5baf9cd81
SHA1

43083ad87e1a6340531667e126be5c0d8a028e8c
SHA256

d8d765c870ba8a44418ac8ea8153cab82012dff440efc57d4087f460c3a15c7b
SHA512

ee6a706a1df339111717d3e13126ad9fdee30be4ab9cc51cc5c5289294d910c340692d60ff5da1d7e4337d4da3502169f1215cb78c5d8ddc005773cff307a6a0
SSDEEP

393216:zpe+BBOVgVFxRwPPl90ApIhSOMWYQfJcLm+sVu5vGkpRHnLbprIXVogPGg+X0im/:zsAOVgVLRwl9DpzWYMJc/sVu5vGSJpWV

Score

7^/10

qr link

Malware Config

Signatures

Requests dangerous framework permissions 3 IoCs

description	ioc
Required to be able to access the camera device.	android.permission.CAMERA
Allows an application to read the user's contacts data.	android.permission.READ_CONTACTS
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE

One or more HTTP URLs in qr code identified
Detects presence of HTTP links in QR codes.
qr link

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack003/Shadowsocks.exe
unpack004/Shadowsocks.exe

Files

e77dcabf3050f075d07851a0f185a7ca43800b672d83943b87a60286cf095d37.zip.zip
.zip

Password: infected
e77dcabf3050f075d07851a0f185a7ca43800b672d83943b87a60286cf095d37.zip
.zip
SSR-Bash-Python-The-Final/LICENSE
SSR-Bash-Python-The-Final/client/ss-c#/Shadowsocks-3.4.2.zip
.zip
Shadowsocks.exe
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 910KB - Virtual size: 910KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SSR-Bash-Python-The-Final/client/ss-c#/Shadowsocks-4.0.1.zip
.zip
Shadowsocks.exe
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SSR-Bash-Python-The-Final/client/ssr-android/BarcodeScanner-4.7.6.apk
.apk android

com.google.zxing.client.android

.CaptureActivity

Activities

.CaptureActivity

android.intent.action.MAIN
com.google.zxing.client.android.SCAN
android.intent.action.VIEW
android.intent.action.VIEW
android.intent.action.VIEW
android.intent.action.VIEW

.encode.EncodeActivity

com.google.zxing.client.android.ENCODE
android.intent.action.SEND
android.intent.action.SEND

.book.SearchBookContentsActivity

com.google.zxing.client.android.SEARCH_BOOK_CONTENTS

.share.ShareActivity

com.google.zxing.client.android.SHARE

Permissions

android.permission.CAMERA
android.permission.INTERNET
android.permission.VIBRATE
android.permission.FLASHLIGHT
android.permission.READ_CONTACTS
com.android.browser.permission.READ_HISTORY_BOOKMARKS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.CHANGE_WIFI_STATE
android.permission.ACCESS_WIFI_STATE
about1d.html
.html
about2d.html
.html
apache-license.txt
big-1d.png
.png
big-aztec.png
.png
big-datamatrix.png
.png
big-pdf417.png
.png
big-qr.png
.png
- http://code.google.com/p/zxing/
contact-results-screen.jpg
.jpg
demo-no.png
.png
demo-yes.png
.png
index.html
.html
license.html
.html
scan-example.png
.png
scan-from-phone.png
.png
- http://www.google.com
scanning.html
.html
search-book-contents.jpg
.jpg
sharing.html
.html
style.css
whatsnew.html
.html
SSR-Bash-Python-The-Final/client/ssr-android/ssr-3.3.7.1-android5.apk
.apk android arch:arm arch:x86 arch:arm64

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

android.intent.action.MAIN
android.service.quicksettings.action.QS_TILE_PREFERENCES

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.ProfileManagerActivity
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED

com.github.shadowsocks.TaskerActivity

com.twofortyfouram.locale.intent.action.EDIT_SETTING

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

in.zhaoj.shadowsocksr.QUICK_SWITCH

com.github.shadowsocks.QuickToggleShortcut

android.intent.action.CREATE_SHORTCUT

Permissions

android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.NFC
android.permission.CAMERA
android.permission.WAKE_LOCK
com.google.android.c2dm.permission.RECEIVE

Receivers

com.github.shadowsocks.BootReceiver

android.intent.action.BOOT_COMPLETED

com.github.shadowsocks.TaskerReceiver

com.twofortyfouram.locale.intent.action.FIRE_SETTING

com.evernote.android.job.v14.PlatformAlarmReceiver

com.evernote.android.job.v14.RUN_JOB
net.vrallev.android.job.v14.RUN_JOB

com.evernote.android.job.JobBootReceiver

android.intent.action.BOOT_COMPLETED

Services

com.github.shadowsocks.ShadowsocksVpnService

android.net.VpnService

com.github.shadowsocks.ShadowsocksTileService

android.service.quicksettings.action.QS_TILE

com.evernote.android.job.gcm.PlatformGcmService

com.google.android.gms.gcm.ACTION_TASK_READY
Iceland.ttf
about.html
.html
bypass-china.acl
bypass-lan-china.acl
bypass-lan.acl
china-list.acl
gfwlist.acl
materialdrawerfont-font-v5.0.0.ttf
pdnsd
.elf linux x86
redsocks
.elf linux arm
ss-local
.elf linux arm
ss-tunnel
.elf linux aarch64
tun2socks
.elf linux x86
SSR-Bash-Python-The-Final/client/ssr-android/ssr-3.3.7.1.apk
.apk android arch:arm arch:x86

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

android.intent.action.MAIN
android.service.quicksettings.action.QS_TILE_PREFERENCES

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.ProfileManagerActivity
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED

com.github.shadowsocks.TaskerActivity

com.twofortyfouram.locale.intent.action.EDIT_SETTING

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

in.zhaoj.shadowsocksr.QUICK_SWITCH

com.github.shadowsocks.QuickToggleShortcut

android.intent.action.CREATE_SHORTCUT

Permissions

android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.NFC
android.permission.CAMERA
android.permission.WAKE_LOCK
com.google.android.c2dm.permission.RECEIVE

Receivers

com.github.shadowsocks.BootReceiver

android.intent.action.BOOT_COMPLETED

com.github.shadowsocks.TaskerReceiver

com.twofortyfouram.locale.intent.action.FIRE_SETTING

com.evernote.android.job.v14.PlatformAlarmReceiver

com.evernote.android.job.v14.RUN_JOB
net.vrallev.android.job.v14.RUN_JOB

com.evernote.android.job.JobBootReceiver

android.intent.action.BOOT_COMPLETED

Services

com.github.shadowsocks.ShadowsocksVpnService

android.net.VpnService

com.github.shadowsocks.ShadowsocksTileService

android.service.quicksettings.action.QS_TILE

com.evernote.android.job.gcm.PlatformGcmService

com.google.android.gms.gcm.ACTION_TASK_READY
Iceland.ttf
about.html
.html
bypass-china.acl
bypass-lan-china.acl
bypass-lan.acl
china-list.acl
gfwlist.acl
materialdrawerfont-font-v5.0.0.ttf
pdnsd
.elf linux x86
redsocks
.elf linux arm
ss-local
.elf linux arm
ss-tunnel
.elf linux arm
tun2socks
.elf linux arm
SSR-Bash-Python-The-Final/client/ssr-android/ssr-3.4.0.1.apk
.apk android arch:arm arch:x86

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

android.intent.action.MAIN
android.service.quicksettings.action.QS_TILE_PREFERENCES

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.ProfileManagerActivity
in.zhaoj.shadowsocksr.intent.action.SORT
in.zhaoj.shadowsocksr.intent.action.SCAN
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED

com.github.shadowsocks.TaskerActivity

com.twofortyfouram.locale.intent.action.EDIT_SETTING

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

in.zhaoj.shadowsocksr.QUICK_SWITCH

com.github.shadowsocks.QuickToggleShortcut

android.intent.action.CREATE_SHORTCUT

Permissions

android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.NFC
android.permission.CAMERA
android.permission.WAKE_LOCK
com.google.android.c2dm.permission.RECEIVE

Receivers

com.github.shadowsocks.BootReceiver

android.intent.action.BOOT_COMPLETED

com.github.shadowsocks.TaskerReceiver

com.twofortyfouram.locale.intent.action.FIRE_SETTING

com.evernote.android.job.v14.PlatformAlarmReceiver

com.evernote.android.job.v14.RUN_JOB
net.vrallev.android.job.v14.RUN_JOB

com.evernote.android.job.JobBootReceiver

android.intent.action.BOOT_COMPLETED

Services

com.github.shadowsocks.ShadowsocksVpnService

android.net.VpnService

com.github.shadowsocks.ShadowsocksTileService

android.service.quicksettings.action.QS_TILE

com.evernote.android.job.gcm.PlatformGcmService

com.google.android.gms.gcm.ACTION_TASK_READY
SSR-Bash-Python-The-Final/client/ssr-android/ssr-3.4.0.5.apk
.apk android arch:arm arch:x86

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

android.intent.action.MAIN
android.service.quicksettings.action.QS_TILE_PREFERENCES

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.ProfileManagerActivity
in.zhaoj.shadowsocksr.intent.action.SORT
in.zhaoj.shadowsocksr.intent.action.SCAN
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED
android.intent.action.VIEW
android.nfc.action.NDEF_DISCOVERED

com.github.shadowsocks.TaskerActivity

com.twofortyfouram.locale.intent.action.EDIT_SETTING

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

in.zhaoj.shadowsocksr.QUICK_SWITCH

com.github.shadowsocks.QuickToggleShortcut

android.intent.action.CREATE_SHORTCUT

Permissions

android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.NFC
android.permission.WAKE_LOCK
com.google.android.c2dm.permission.RECEIVE

Receivers

com.github.shadowsocks.BootReceiver

android.intent.action.BOOT_COMPLETED

com.github.shadowsocks.TaskerReceiver

com.twofortyfouram.locale.intent.action.FIRE_SETTING

com.evernote.android.job.v14.PlatformAlarmReceiver

com.evernote.android.job.v14.RUN_JOB
net.vrallev.android.job.v14.RUN_JOB

com.evernote.android.job.JobBootReceiver

android.intent.action.BOOT_COMPLETED

Services

com.github.shadowsocks.ShadowsocksVpnService

android.net.VpnService

com.github.shadowsocks.ShadowsocksTileService

android.service.quicksettings.action.QS_TILE

com.evernote.android.job.gcm.PlatformGcmService

com.google.android.gms.gcm.ACTION_TASK_READY
SSR-Bash-Python-The-Final/client/ssr-c#/ShadowsocksR-4.6.0-win.7z
.7z
SSR-Bash-Python-The-Final/dev.sh
.sh linux
SSR-Bash-Python-The-Final/install.sh
SSR-Bash-Python-The-Final/libsodium-1.0.11.tar.gz
.gz
SSR-Bash-Python-The-Final/self-check.sh
SSR-Bash-Python-The-Final/server.sh
.sh linux
SSR-Bash-Python-The-Final/shadowsocksr.zip
.zip
SSR-Bash-Python-The-Final/show_flow.py
SSR-Bash-Python-The-Final/ssr
.sh linux
SSR-Bash-Python-The-Final/traffic.sh
.sh linux
SSR-Bash-Python-The-Final/uninstall.sh
SSR-Bash-Python-The-Final/user.sh
.sh linux
SSR-Bash-Python-The-Final/user/add.sh
.sh linux
SSR-Bash-Python-The-Final/user/del.sh
.sh linux
SSR-Bash-Python-The-Final/user/edit.sh
.sh linux
SSR-Bash-Python-The-Final/user/show_all_user_info.py
SSR-Bash-Python-The-Final/www/cgi-bin/check_flow.py
SSR-Bash-Python-The-Final/www/cgi-bin/show_info.py
SSR-Bash-Python-The-Final/www/check_flow.html
.html
SSR-Bash-Python-The-Final/www/css/base.css
SSR-Bash-Python-The-Final/www/css/base.min.css
SSR-Bash-Python-The-Final/www/css/fonts/MaterialDesignIcon.ttf
SSR-Bash-Python-The-Final/www/css/fonts/MaterialDesignIcon.woff
SSR-Bash-Python-The-Final/www/index.html
.html
SSR-Bash-Python-The-Final/www/js/base.js
.js
SSR-Bash-Python-The-Final/www/js/base.min.js
.js
SSR-Bash-Python-The-Final/www/js/html5shiv.js
.js
SSR-Bash-Python-The-Final/www/show_info.html
.html

Sharing

General

Malware Config

Signatures

Files

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 910KB - Virtual size: 910KB

.rsrc Size: 22KB - Virtual size: 22KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rsrc Size: 22KB - Virtual size: 22KB

.reloc Size: 512B - Virtual size: 12B

com.google.zxing.client.android

.CaptureActivity

Activities

.CaptureActivity

.encode.EncodeActivity

.book.SearchBookContentsActivity

.share.ShareActivity

Permissions

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.TaskerActivity

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

com.github.shadowsocks.QuickToggleShortcut

Permissions

Receivers

com.github.shadowsocks.BootReceiver

com.github.shadowsocks.TaskerReceiver

com.evernote.android.job.v14.PlatformAlarmReceiver

com.evernote.android.job.JobBootReceiver

Services

com.github.shadowsocks.ShadowsocksVpnService

com.github.shadowsocks.ShadowsocksTileService

com.evernote.android.job.gcm.PlatformGcmService

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.TaskerActivity

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

com.github.shadowsocks.QuickToggleShortcut

Permissions

Receivers

com.github.shadowsocks.BootReceiver

com.github.shadowsocks.TaskerReceiver

com.evernote.android.job.v14.PlatformAlarmReceiver

com.evernote.android.job.JobBootReceiver

Services

com.github.shadowsocks.ShadowsocksVpnService

com.github.shadowsocks.ShadowsocksTileService

com.evernote.android.job.gcm.PlatformGcmService

in.zhaoj.shadowsocksr

com.github.shadowsocks.Shadowsocks

Activities

com.github.shadowsocks.Shadowsocks

com.github.shadowsocks.ProfileManagerActivity

com.github.shadowsocks.TaskerActivity

com.github.shadowsocks.ShadowsocksQuickSwitchActivity

com.github.shadowsocks.QuickToggleShortcut

Permissions

Receivers

.text
Size: 910KB - Virtual size: 910KB

.rsrc
Size: 22KB - Virtual size: 22KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 1.1MB - Virtual size: 1.1MB

.rsrc
Size: 22KB - Virtual size: 22KB

.reloc
Size: 512B - Virtual size: 12B