Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 10658000: SJBXB
Отправляет данные получаемых СМС-сообщений на удалённый хост.
Сетевая активность:
Подключается к:
- p####.####.com:8080
- p####.####.com
- oa5cv####.####.com
- 1####.####.91
- 1####.####.91:8080
- 1####.####.147:8080
- a####.####.com
- 1####.####.147
Запросы HTTP GET:
- oa5cv####.####.com/ic_ppzb.png
- 1####.####.147/xmld/HttpService!service?paramMap=####
- p####.####.com:8080/sdk/spaycoredex_so_1980.jar
- 1####.####.91/mm/HttpService!service?paramMap=####
- 1####.####.91:8080/mm/HttpService!service?paramMap=####
- p####.####.com/sdk/dp_1.5.0.jar
- oa5cv####.####.com/PPZB3_RH_242_170526_V1.0.1.apk
- p####.####.com/ADicon/ic_tcsy.png
- oa5cv####.####.com/ic_jmapp.png
- oa5cv####.####.com/q300042.apk
- oa5cv####.####.com/ic_mmzbuowrw.png
- oa5cv####.####.com/ic_huobao.png
- p####.####.com/sdk/spaycoredex_so_1980.jar
Запросы HTTP POST:
- a####.####.com/app_logs
- 1####.####.147/xmld/HttpService
- 1####.####.147:8080/xmld/HttpService
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_process_lock/668261.898983071
- <Package Folder>/app_process_lock/2325867719510.74
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/app_process_lock/2325867716412.95
- <Package Folder>/app_process_lock/1122159164041.9
- <Package Folder>/app_process_lock/2965481366097.31
- <Package Folder>/files/exid.dat
- <Package Folder>/app_process_lock/690293981752.964
- <Package Folder>/app_process_lock/2965481364552.78
- <Package Folder>/app_process_lock/261212134948.861
- <Package Folder>/app_process_lock/2325867722281.5
- <Package Folder>/app_process_lock/2965481364738.74
- <Package Folder>/app_process_lock/2965481365258.61
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/app_process_lock/261212135417.554
- <Package Folder>/app_process_lock/524145.397123729
- <Package Folder>/app_process_lock/2325867720083.2
- <Package Folder>/app_process_lock/668260.464978357
- <Package Folder>/files/.umeng/exchangeIdentity.json
- <Package Folder>/app_process_lock/2325867717954.69
- <Package Folder>/app_process_lock/261212134637.684
- <Package Folder>/databases/cc.db
- <Package Folder>/app_process_lock/161.918512514603
- <Package Folder>/app_process_lock/524145.096669153
- <Package Folder>/app_process_lock/690293984275.71
- <Package Folder>/app_process_lock/261212134462.929
- <Package Folder>/app_process_lock/2965481364601.84
- <Package Folder>/app_process_lock/2965481364163.03
- <Package Folder>/app_process_lock/2325867726454.8
- <Package Folder>/databases/xUtils_http_cache.db
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/databases/xUtils_http_cookie.db
- <Package Folder>/app_process_lock/261212134959.23
- <Package Folder>/app_process_lock/1122159163083.33
- <Package Folder>/app_process_lock/261212135365.084
- <Package Folder>/app_process_lock/852048.333815873
- <Package Folder>/app_process_lock/690293981295.389
- <Package Folder>/app_process_lock/1122159163301.18
- <Package Folder>/databases/ua.db
- <Package Folder>/app_process_lock/1122159163381.32
- <Package Folder>/app_process_lock/668266.292786374
- <Package Folder>/app_process_lock/1122159163497.9
- <Package Folder>/app_process_lock/1122159163815.27
- <Package Folder>/app_process_lock/2325867725987.6
- <Package Folder>/app_process_lock/2965481366696.19
- <Package Folder>/app_process_lock/690293982384.682
- <Package Folder>/app_process_lock/690293982214.782
- <Package Folder>/app_process_lock/668262.199437647
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/app_process_lock/2965481364950.51
- <Package Folder>/app_process_lock/1122159163249.38
- <Package Folder>/databases/xUtils_http_cache.db-journal
- <Package Folder>/databases/xUtils_http_cache.db-wal
- <Package Folder>/app_process_lock/261212134701.976
- <Package Folder>/app_process_lock/1122159163230.81
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/app_process_lock/690293983064.517
- <Package Folder>/app_process_lock/690293984137.049
- <Package Folder>/app_process_lock/2325867722373.82
- <Package Folder>/app_payload_odex/<Package>.jar
- <Package Folder>/databases/xUtils_http_cache.db-shm
- <Package Folder>/shared_prefs/pay.xml
- <Package Folder>/app_process_lock/261212134289.779
- <Package Folder>/app_process_lock/690293983037.115
Другие:
Запускает следующие shell-скрипты:
- app_process /system/bin com.android.commands.pm.Pm install -r /system/app/com.wwwx.onlyou.apk
- chmod 644 /system/app/com.jhoife.hqigf.apk
- su
- sh
- app_process /system/bin com.android.commands.pm.Pm install -r /system/app/com.jhoife.hqigf.apk
- <su-internal:request>
- chmod 644 /system/app/com.wwwx.onlyou.apk
- <su-internal:result>
- <dexopt>
- cp /storage/emulated/0/Android/com.jhoife.hqigf.apk /system/app/
- cp /storage/emulated/0/Android/com.wwwx.onlyou.apk /system/app/
Использует повышенные привилегии.
Может автоматически отправлять СМС-сообщения.
