ThreatExpert Report: Exploit.Linux.Lotoor.av, Exploit.Linux.Lotoor

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 17 September 2012, 14:16:42
Processing time: 8 min 53 sec
Submitted sample:

File MD5: 0xCA7811C795E2D542F1B8BA223D3311CC
File SHA-1: 0xAF29268F075141C9CD670FE8AEA41BCF7C652845
Filesize: 1,540,096 bytes
Alias & packer info:

Exploit.Linux.Lotoor.av [Kaspersky Lab]
Exploit.Linux.Lotoor [Ikarus]
packed with: UPX [Kaspersky Lab]

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\1.tmp\adb.exe	578,611 bytes	MD5: 0x2C25A39086B640B2F83BEBC82050B8FC SHA-1: 0x490037C7B26F567D42D7B15D26C31790D40B4A8C	(not available)
2	%Temp%\1.tmp\AdbWinApi.dll	96,256 bytes	MD5: 0x47A6EE3F186B2C2F5057028906BAC0C6 SHA-1: 0xFDE9C22A2CFCD5E566CEC2E987D942B78A4EEAE8	(not available)
3	%Temp%\1.tmp\AdbWinUsbApi.dll	60,928 bytes	MD5: 0x5F23F2F936BDFAC90BB0A4970AD365CF SHA-1: 0x12E14244B1A5D04A261759547C3D930547F52FA3	(not available)
4	%Temp%\1.tmp\busybox	1,867,568 bytes	MD5: 0x5EA6873C7887CF31AAC0BCAFB10D7680 SHA-1: 0x2C379B0F373F55FD44E1C8C4802A8D1B049FE2E8	(not available)
5	%Temp%\1.tmp\motofail	501,292 bytes	MD5: 0x5285AFB7F3D5CBEFE2E3249D69D746BA SHA-1: 0x272FA14B0865C97AD51935766DEC086CED0C6A19	Exploit.Linux.Lotoor.av [Kaspersky Lab] Exploit.Linux.Lotoor [Ikarus]
6	%Temp%\1.tmp\run.bat	2,006 bytes	MD5: 0x1A6D265C8CE3E9CB5E6832688F774717 SHA-1: 0x092DA7225C0359B4BE35D30E9F7A0C6DFD568C37	(not available)
7	%Temp%\1.tmp\su	22,364 bytes	MD5: 0xD1A9DE9724C662A50A9A128E48B1FB37 SHA-1: 0x61410F2E93F5A397F8FC3DD51EA04D6E82734615	(not available)
8	%Temp%\1.tmp\Superuser.apk	843,503 bytes	MD5: 0x65BD72996C68F289C5FA0B81F0874127 SHA-1: 0xEE246D6E91017768E82B2D17E22E4044E4B7DA2F	(not available)
9	%Temp%\adb.log	32 bytes	MD5: 0x1CEF3BE3D6DCAFE81864B65E7B448638 SHA-1: 0xF8B8A17350D1669E74CA778062B72B5F532C3647	(not available)
10	[file and pathname of the sample #1]	1,540,096 bytes	MD5: 0xCA7811C795E2D542F1B8BA223D3311CC SHA-1: 0xAF29268F075141C9CD670FE8AEA41BCF7C652845	Exploit.Linux.Lotoor.av [Kaspersky Lab] Exploit.Linux.Lotoor [Ikarus] packed with UPX [Kaspersky Lab]

Note:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directory was created:

%Temp%\1.tmp

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	4,116,480 bytes
adb.exe	%Temp%\1.tmp\adb.exe	172,032 bytes

Other details

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 5037:

There was an outbound traffic produced on port 5555:

There was an outbound traffic produced on port 5557:

There was an outbound traffic produced on port 5559:

There was an outbound traffic produced on port 5561:

There was an outbound traffic produced on port 5563:

There was an outbound traffic produced on port 5565:

There was an outbound traffic produced on port 5567:

There was an outbound traffic produced on port 5569:

There was an outbound traffic produced on port 5571:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.