Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 12114: dyl#####,####,6000061-1-17-taikupx_langqu-0
- 106575206321505460: dyl#####,####,6000061-1-17-taikupx_langqu-0
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.205.origin
- Android.SmsSend.1848.origin
Отправляет данные получаемых СМС-сообщений на удалённый хост.
Сетевая активность:
Подключается к:
- v####.####.com
- a####.####.site
- 1####.####.79
- and####.####.com
- 1####.####.79:1205
- a####.####.site:8090
- w####.####.com
- d####.####.net
- 1####.####.78:1506
- greenxs####.net
- mobi####.####.com
- m####.####.com
- and####.####.com:8077
Запросы HTTP GET:
- greenxs####.net/resource!chargeUpdate?resTypes=####&dexId=####&dexVer=##...
- d####.####.net/apkf/3rdapk2/M01/13/6C/wKhklVjwsaCARWV-AAQm7yY3ixc640.apk
- greenxs####.net/resource!resource?resTypes=####&appid=####&channel=####&...
- d####.####.net/apkf/3rdapk2/M01/0F/ED/wKhklFi3kP6AenV0AAK1r2oCKfQ234.apk
- w####.####.com/r/378609775/index.htm?cm=####
- a####.####.site/getdata?cpid=####&packagename=####
- d####.####.net/apkf/3rdapk2/M01/0C/74/wKhklFggLLiAJT70AAAkOW2094g958.apk
- greenxs####.net/active!activeLog.action?provider=####&clickId=####&manu=...
- w####.####.com/r/378609775/378609778/index.htm?cm=####
- d####.####.net/apkf/3rdapk2/M01/0F/82/wKhklFiFqJKAOnnKAACb3YsVzOg199.apk
- a####.####.site:8090/phoneget?cpid=####&ismi=####&calltime=####&callcoun...
- m####.####.com/course/504703.html?cm=####
- greenxs####.net/doking/smsd!hiGo.action?t=####&dexId=####&dexVer=####&ap...
- w####.####.com/r/p/lyxy.jsp?ln=####&t1=####&cm=####
- w####.####.com/r/p/index.jsp?vt=####&cm=####
- d####.####.net/apkf/3rdapk2/M01/11/F8/wKhklVjkZD6AChDMAAP3wtpPkhM733.apk
Запросы HTTP POST:
- 1####.####.79/push/moregame
- mobi####.####.com/mgw.htm
- and####.####.com/zm-adv-mis/recommwall/active/query.do
- and####.####.com/zm-adv-mis/push/active/query.do
- 1####.####.79/black_white/ui_content
- and####.####.com/android/sms/netpay/prefetch.do
- and####.####.com/zm-adv-mis/folder/list/query.do
- and####.####.com/record-plat/record/upload.do
- 1####.####.78:1506/switch/86010001
- 1####.####.79:1205/push/moregame
- and####.####.com/record-plat/seq/query.do
- v####.####.com/api/payment/mobileInit.html
- and####.####.com/zm-adv-mis/recommwall/list/query.do
- and####.####.com:8077/query-plat/cap/query.do
- and####.####.com/zm-adv-mis/folder/active/query.do
- and####.####.com/record-plat/msg/strategy/query.do
- greenxs####.net/shop/shop_upload_log
- v####.####.com/api/payment/updateInit
- and####.####.com/zm-adv-mis/push/list/query.do
- and####.####.com/zm-adv-mis/adv/list/query.do
- and####.####.com/android/sms/commit.do
- and####.####.com/zm-adv-mis/advplugin/query.do
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/SkyAdver_file/NotifyBarAdvResponse
- /data/data/####/shared_prefs/device_feature_prefs_name.xml
- /data/data/####/shared_prefs/Alvin2.xml
- /data/data/####/shared_prefs/ma_epay_share.xml.bak
- /data/data/####/shared_prefs/b_share.xml
- /data/data/####/cache/webviewCacheChromium/data_3
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/shared_prefs/pretw.xml
- /data/data/####/shared_prefs/ma_epay_share.xml
- /data/data/####/databases/bil_db-journal
- /data/data/####/SkyAdver_file/reqseq
- /data/data/####/shared_prefs/UNICOM_LOG_UA.xml
- /sdcard/.DataStorage/ContextData.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.yijiesdk.new.apk
- /data/data/####/shared_prefs/ma_data.xml.bak
- /data/data/####/databases/Data_sync.db-journal
- /data/data/####/databases/webview.db-journal
- /data/data/####/app_workbench05650/apk.zip
- /data/data/####/shared_prefs/ACCOUNT_SYSTEM_ACCOUNT_INFO.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_sms/plugins/plugin.info
- /data/data/####/app_workbench77794/apk.zip
- /sdcard/.twservice/qshp_3003_2247.zip
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.zhongzhisdk.new.apk.temp
- /data/data/####/app_workbench72494/apk.zip
- /data/data/####/files/log/ap/20170502.log
- /data/data/####/databases/smspay.dbwyzf
- /data/data/####/databases/MA_epay_db-journal
- /data/data/####/files/libabc
- /data/data/####/shared_prefs/edition.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.recordupload.data
- /data/data/####/databases/bil_db
- /data/data/####/cache/webviewCacheChromium/index
- /data/data/####/app_workbench11176/apk.zip
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.advert.new.data
- /data/data/####/shared_prefs/ma_data.xml
- /sdcard/.twservice/qshp_3003_2247/tw
- /data/data/####/files/noend.ini
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/reqseq
- /data/data/####/shared_prefs/ntf_idpadv.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/PushDataServerTime
- /data/data/####/shared_prefs/defaultPlugin.xml
- /data/data/####/files_main/key_AppPluginCapInfo
- /data/data/####/databases/msp.db
- /sdcard/com/android/system/mt.sys
- /sdcard/.UTSystemConfig/Global/Alvin2.xml
- /data/data/####/shared_prefs/virtualImeiAndImsi.xml
- /data/data/####/shared_prefs/wyzf_configwyzf.xml
- /data/data/####/shared_prefs/alipay_vkey_random.xml
- /data/data/####/shared_prefs/SP_NAME_PAYCOUNT.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.zhongzhisdk.new.apk
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/shared_prefs/b_setting.xml
- /data/data/####/shared_prefs/plugin_record_app_info.xml
- /data/data/####/shared_prefs/pref_advert.xml
- /data/data/####/shared_prefs/paypush_preference.xml.bak
- /data/data/####/baea/tmb.jar
- /data/data/####/shared_prefs/pref_folder.xml
- /data/data/####/shared_prefs/com.avos.avoscloud.RequestStatisticsUtil.data.xml.bak
- /data/data/####/databases/msp.db-journal
- /data/data/####/shared_prefs/SP_NAME_MOREAPP.xml
- /data/data/####/shared_prefs/new_vvsion.xml
- /sdcard/.tpservice/####/download/jar/qsha_80001_5094.jar
- /data/data/####/cache/CommandCache/e60f26af20fd35a7ab9b766789b78a80
- /data/data/####/shared_prefs/nnt_data.xml
- /data/data/####/shared_prefs/BOOT_SMS_SENT_TIME.xml
- /data/data/####/databases/smspay.dbwyzf-journal
- /data/data/####/shared_prefs/mainplugin_query.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.advert.new.data.temp
- /data/data/####/databases/MA_epay_db
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_main/key_ServerPluginInfo
- /data/data/####/app_workbench00124/apk.zip
- /data/data/####/shared_prefs/dispatch_log.xml
- /sdcard/.SystemConfig/device_feature_file_name
- /data/data/####/shared_prefs/pref_recomm.xml.bak
- /data/data/####/shared_prefs/SP_NAME_MOREAPP_SWITCH.xml
- /data/data/####/shared_prefs/ma_call.xml.bak
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/LatestPushIndex
- /data/data/####/app_Wyzf_plg/5.0.6.jar
- /data/data/####/shared_prefs/com.avos.avoscloud.RequestStatisticsUtil.data.xml
- /data/data/####/shared_prefs/GAME_FISH_PRES_INFO.xml
- /data/data/####/shared_prefs/AV_CLOUD_API_VERSION_KEY_ZONE.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.yijiesdk.new.apk.temp
- /data/data/####/shared_prefs/paypush_preference.xml
- /data/data/####/shared_prefs/ma_call.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.new.data
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.push.new.data.temp
- /data/data/####/shared_prefs/ma_phone.xml.bak
- /data/data/####/shared_prefs/SYSTEM_MT_INFO_FILE_NAME.xml
- /data/data/####/app_workbench66968/apk.zip
- /data/data/####/cache/CommandCache/e751dfffad994c906c81538fc70a56bc
- /data/data/####/shared_prefs/mainplugin_query.xml.bak
- /data/data/####/shared_prefs/ma_phone.xml
- /data/data/####/shared_prefs/ContextData.xml
- /data/data/####/cache/Analysis/avoscloud-analysis
- /sdcard/Android/data/com.skymobi.pay.newsdk/files_adv/####/SkyAdver_file/NotifyBarAdvResponse
- /data/data/####/files_main/key_ServerPluginInfo
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.push.new.data
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.data
- /data/data/####/shared_prefs/syndatabackup.xml
- /data/data/####/shared_prefs/BOOT_SMS_INFO.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/user.sys
- /data/data/####/shared_prefs/twc.xml
- /sdcard/gooogle/userid.cfg
- /data/data/####/SkyAdver_file/PushDataServerTime
- /data/data/####/baea/entrance.jar
- /data/data/####/SkyAdver_file/LatestPushIndex
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.main.data
- /data/data/####/shared_prefs/pref_recomm.xml
- /data/data/####/shared_prefs/AVOSCloud-SDK.xml
- /sdcard/Android/data/com.skymobi.pay.newsdk/plugins/com.skymobi.pay.plugin.smspay.new.data.temp
Присваивает атрибут 'исполняемый' для следующих файлов:
- /sdcard/gooogle/userid.cfg
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dexopt --dex 27 142 40 102120 /storage/emulated/0/android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.zhongzhisdk.apk 1245148595 620116018 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framewo
- cat /proc/cpuinfo | grep Serial
- /system/bin/dexopt --dex 27 95 40 540224 /data/data/####/app_workbench00124/apk.zip 1252156719 1715135955 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /
- /system/bin/dexopt --dex 27 118 40 541712 /data/data/####/app_workbench72494/apk.zip 1252156722 -349942904 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar
- cat /sys/block/mmcblk0/device/cid
- /system/bin/dexopt --dex 27 70 40 213440 /storage/emulated/0/.tpservice/####/download/jar/qsha_80001_5094.jar 1248298237 -1297833896 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar
- /system/bin/dexopt --dex 27 138 40 618728 /data/data/####/app_workbench77794/apk.zip 1252156723 1597167270 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar
- ls -l /system/xbin/su
- /system/bin/dexopt --dex 27 87 40 129872 /data/data/####/app_workbench11176/apk.zip 1252156718 591524218 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /s
- /system/bin/dexopt --dex 27 137 40 349240 /data/data/####/app_workbench66968/apk.zip 1252156722 -1220698994 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar
- /system/bin/dexopt --dex 27 62 40 168508 /data/data/####/baea/tmb.jar 1251694168 83489454 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
- /system/bin/dexopt --dex 27 138 40 17056 /storage/emulated/0/android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.yijiesdk.apk 1229753698 832928151 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/b
- /system/bin/dexopt --dex 27 104 40 94816 /data/data/####/app_workbench05650/apk.zip 1252156719 -264446213 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /
- /system/bin/dexopt --dex 27 46 40 60932 /data/data/####/baea/entrance.jar 1251694140 1209869072 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/fra
- /system/bin/dexopt --dex 27 93 40 91992 /data/data/####/app_Wyzf_plg/5.0.6.jar 1249878525 941067483 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system
- /system/bin/dexopt --dex 27 144 40 273440 /storage/emulated/0/.twservice/qshp_3003_2247/tw.jar 1249136898 -1202193357 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/frame
- /system/bin/dexopt --dex 27 143 40 17056 /storage/emulated/0/android/data/com.skymobi.pay.newsdk/files_sms/plugins/com.newpay.spsdk.smspay.yijiesdk.apk 1229753698 832928151 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/b
Использует специальную библиотеку для скрытия исполняемого байткода.
Может автоматически отправлять СМС-сообщения.
