Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 12114000372329: i2mPNk1AOWWu6IO69LttHIXkg==
Сетевая активность:
Подключается к:
- beijin####.####.com
- 1####.####.167:9321
- w####.####.com
- z####.####.com
- 1####.####.237
- h####.####.com
- s####.####.com
- 1####.####.151:8080
- so####.com
- i####.####.com
- 1####.####.237:8080
- p####.####.com
- 4####.####.232:8081
- ut####.cn
- ut####.cn:8080
- a####.####.com
- t####.####.com
- 4####.####.115:9321
- g####.####.com
- 1####.####.10:9321
- c####.####.com
- e####.####.com
- a####.####.cn
Запросы HTTP GET:
- w####.####.com/adx.php?c=####
- i####.####.com/tps/i3/T1.lJGFlVcXXa6Q3bb-9-18.gif
- s####.####.com/style/css/main.css
- i####.####.com/bao/uploaded/i4/22754018/TB2aVvhXSFjpuFjSszhXXaBuVXa_!!22754018.jpg_160x160.jpg
- i####.####.com/bao/uploaded/i1/TB1OvAUNXXXXXaxXXXXXXXXXXXX_!!0-item_pic.jpg_160x160.jpg
- c####.####.com/9.gif?abc=####&rnd=####
- i####.####.com/bao/uploaded/i1/TB1WgdlOpXXXXauXXXXXXXXXXXX_!!0-item_pic.jpg_160x160.jpg
- i####.####.com/tps/i2/T1m09PXsFiXXbTThPr-7-7.gif
- c####.####.com/core.php?web_id=####&t=####
- c####.####.com/cpro/exp/closead/img/bg_rb.png
- c####.####.com/cpro/ui/noexpire/img/4.0.0/pc_ads_bear.1x.png
- c####.####.com/cpro/ui/noexpire/img/4.0.0/pc_ads.1x.png
- z####.####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&showp=####&t=####&h=####&rnd=####
- beijin####.####.com/apks/load.bat
- i####.####.com/bao/uploaded/i1/TB13ETsNpXXXXcIXVXXXXXXXXXX_!!0-item_pic.jpg_160x160.jpg
- e####.####.com/hmt/icon/21.gif
- c####.####.com/cpro/ui/noexpire/js/4.0.0/adClosefeedbackUpgrade.min.js
- s####.####.com/z_stat.php?id=####&web_id=####
- t####.####.com/it/u=790947040,4200533282&fm=76
- h####.####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&ep=####&et=####&ja=####&ln=####&lo=####&nv=####&rnd=####&si=####&st=####&v=####&lv=####
- a####.####.com/libs/jquery/2.1.4/jquery.min.js
- p####.####.com/wcpm?rdid=####&dc=####&di=####&dri=####&dis=####&dai=####&ps=####&dcb=####&dtm=####&dvi=####&dci=####&dpt=####&tsr=####&tpr=####&ti=###...
- so####.com/mobile
- c####.####.com/cpro/exp/closead/img/bd_logo.png
- g####.####.com/display?rd=####&pid=####&pgid=####&rf=####&et=####&ttype=####&v=####&cm=####&ck=####&cw=####&ct=####&wt=####&ti=####&tl=####&st=####&cb...
- a####.####.cn/tkapi/mclick.js?_t=####
- a####.####.cn/tkapi.js
- t####.####.com/it/u=1090130494,3525460735&fm=76
- h####.####.com/hm.gif?cc=####&ck=####&cl=####&ds=####&et=####&ja=####&ln=####&lo=####&nv=####&rnd=####&si=####&st=####&v=####&lv=####&tt=####
- a####.####.cn/tkapi/plugin.js?_t=####
- t####.####.com/it/u=495228022,3706957891&fm=76
- s####.####.com/style/css/bootstrap.min.css
- p####.####.com/wcpm?di=####&dri=####&dis=####&dai=####&ps=####&dcb=####&dtm=####&dvi=####&dci=####&dpt=####&tsr=####&tpr=####&ti=####&ari=####&dbv=###...
- s####.####.com/style/images/logo.gif
- i####.####.com/bao/uploaded/i1/TB148kHOFXXXXagaXXXYXGcGpXX_M2.SS2_160x160.jpg
- i####.####.com/bao/uploaded/i3/1085586699/TB2tmZHeElnpuFjSZFjXXXTaVXa_!!1085586699.jpg_160x160.jpg
- t####.####.com/it/u=1762810985,2492946471&fm=76
- h####.####.com/h.js?0474b4d####
- t####.####.com/it/u=561684103,2469852632&fm=76
- t####.####.com/it/u=3250483810,1605664115&fm=76
- c####.####.com/cpro/ui/c.js
- g####.####.com/load?rf=####&dr=####&pid=####&pgid=####&ak=####&ttype=####&scr=####&lan=####&ciid=####&csid=####&curl=####&ckeywords=####&cb=####
- a####.####.cn/tfscom/T1iIp8FaVhXXXqupbX.js
Запросы HTTP POST:
- 4####.####.232:8081/logic/absloginfo?imei=####&imsi=####&message=####
- 1####.####.10:9321/abs/fee
- so####.com/mobiles
- ut####.cn/excalibur/avalon/sdk/queryResult.aspx
- 4####.####.115:9321/abs/init
- 1####.####.237:8080/BusiService/@intf@/i2001
- 1####.####.237/BusiService/@intf@/i0003
- 1####.####.237/BusiService/@intf@/i0002
- 1####.####.237/BusiService/@intf@/i0001
- ut####.cn:8080/excalibur/avalon/sdk/init.aspx
- 1####.####.151:8080/astrolinkSDK/info/getUpUrlInfo
- ut####.cn/excalibur/avalon/sdk/pay.aspx
- 1####.####.167:9321/abs/fee
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/app_dex/utopay.jar
- /data/data/####/cache/webviewCacheChromium/f_00000a
- /data/data/####/app_dex/utopay_icon.gif
- /data/data/####/databases/utopay.db-journal
- /data/data/####/cache/webviewCacheChromium/f_00000b
- /data/data/####/shared_prefs/setting.xml
- /data/data/####/cache/webviewCacheChromium/f_00000d
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_3
- /sdcard/Download/AST_DOWN/load.bat
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/shared_prefs/1154|account_file.xml
- /data/data/####/files/sdk.jar
- /data/data/####/cache/webviewCacheChromium/f_000009
- /sdcard/Download/AST_DOWN/version.bin
- /data/data/####/cache/webviewCacheChromium/f_00000c
- /data/data/####/shared_prefs/abs.xml
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/shared_prefs/STORE_MAIN.xml
- /data/data/####/databases/webview.db-journal
- /data/data/####/cache/webviewCacheChromium/f_000008
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/databases/d_aosd56dg
- /data/data/####/cache/webviewCacheChromium/f_000003
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/cache/webviewCacheChromium/f_000005
- /data/data/####/cache/webviewCacheChromium/f_000004
- /data/data/####/cache/webviewCacheChromium/f_000007
- /data/data/####/cache/webviewCacheChromium/f_000006
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /data/data/####/shared_prefs/sp_haoapp.xml
- /data/data/####/app_dex/utopay_close.png
- /data/data/####/shared_prefs/abs.xml.bak
- /data/data/####/databases/d_aosd56dg-journal
- /data/data/####/cache/webviewCacheChromium/index
- /data/data/####/shared_prefs/1154|account_file.xml.bak
Другие:
Запускает следующие shell-скрипты:
- getprop apps.customerservice.device
Может автоматически отправлять СМС-сообщения.
