Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 106575206321505460: dyl#null,<IMEI>,6000005-1-28-6_kh5s0349_-0
- 10691009: @8DYL#null,<IMEI>,6000005-1-28-6_kh5s0349_-0
- 12114516420: <IMSI>
Сетевая активность:
Подключается к:
- 1####.####.226
- 1####.####.226:8002
- 1####.####.238
- 1####.####.238:8977
- 7j####.####.com
- a####.####.com
- and####.####.com
- and####.####.com:8077
- c####.####.com
- c####.####.com:10101
- c-h####.####.com
- col####.####.com
- huangda####.com
- i####.####.cn
- m####.####.com
- p####.####.com
- re####.####.com
- re####.####.com:10002
- s####.####.com
- so####.com
- v####.####.com
- w####.####.com
Запросы HTTP GET:
- 1####.####.238/dex/version.txt
- 1####.####.238:8977/dex/version.txt
- 7j####.####.com/tdata_CbF394
- a####.####.com/fetch.php?gid=####&ch=####&key=####
- a####.####.com/location/ip?ak=####&mcode=####
- c####.####.com/v1/sdk/report?sdk_type=####&sdk_status=####&trade_id=####...
- c####.####.com:10101/v1/order/get?phone=####&imei=####&sdk_version=####&...
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- i####.####.cn/iplookup/iplookup.php?format=####
- m####.####.com/course/504703.html?cm=####
- p####.####.com/cityjson?ie=####
- re####.####.com/v1/sdk/init?net_name=####&imei=####&package_name=####&sd...
- re####.####.com:10002/v1/sdk/init?net_name=####&imei=####&package_name=#...
- s####.####.com/config/hz-hzv3.conf
- so####.com/qsxa/tyvideo/get_mmplayer?vncode=####&channel=####&pkg=####&v...
- v####.####.com/version/tcmn/app/mmplay
- w####.####.com/r/378609775/index.htm?cm=####
Запросы HTTP POST:
- 1####.####.226/api/qxt/tel/get
- 1####.####.226:8002/api/sl/vcoderule/getvalid
- and####.####.com/record-plat/record/upload.do
- and####.####.com:8077/record-plat/seq/query.do
- c-h####.####.com/api.php?format=####&t=####
- col####.####.com/pay-data-collect/collectAppStartUserData.json
- s####.####.com/api.php?format=####&t=####
- s####.####.com/pay-sms-access//uploadOpenPayOrderResult.json?
- v####.####.com/api/payment/mobileInit.html
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_Wyzf_plg/5.0.7.jar
- <Package Folder>/app_dex/classes.jar
- <Package Folder>/app_workbench43822/apk.zip
- <Package Folder>/app_workbench71758/apk.zip
- <Package Folder>/app_workbench77284/apk.zip
- <Package Folder>/cache/####/-1011389605-569852143
- <Package Folder>/cache/####/-1260128271-891237918
- <Package Folder>/cache/####/-1420139979-1164759002
- <Package Folder>/cache/####/-1446681350-1688146117
- <Package Folder>/cache/####/-1908891995638652325
- <Package Folder>/cache/####/-1983760042294923183
- <Package Folder>/cache/####/-2452093751366704580
- <Package Folder>/cache/####/-24520937597760693
- <Package Folder>/cache/####/-450394388-1275986263
- <Package Folder>/cache/####/-74822859217069676
- <Package Folder>/cache/####/-74822886217069676
- <Package Folder>/cache/####/-7945625251999311180
- <Package Folder>/cache/####/-9146070041919382239
- <Package Folder>/cache/####/-915345867-681934945
- <Package Folder>/cache/####/-986208412638652325
- <Package Folder>/cache/####/1102400193-376811
- <Package Folder>/cache/####/1201019736-698159970
- <Package Folder>/cache/####/12270880411490509940
- <Package Folder>/cache/####/1240306932-1615923587
- <Package Folder>/cache/####/12520231081490509940
- <Package Folder>/cache/####/1539198918-1048672209
- <Package Folder>/cache/####/1559581948-509113896
- <Package Folder>/cache/####/1822991184-681934945
- <Package Folder>/cache/####/18938516791895014451
- <Package Folder>/cache/####/557698116-198954366
- <Package Folder>/cache/####/763452949-2047959600
- <Package Folder>/cache/####/840418302438133069
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/Data_sync.db-journal
- <Package Folder>/databases/increment.db-journal
- <Package Folder>/databases/pushext.db-journal
- <Package Folder>/databases/pushsdk.db-journal
- <Package Folder>/databases/recordInfo-journal
- <Package Folder>/databases/smspay20723719.db
- <Package Folder>/databases/smspay20723719.db-journal
- <Package Folder>/databases/sy_pay_record-journal
- <Package Folder>/databases/tmpd8.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/plus.jar
- <Package Folder>/files/gdaemon_20161017
- <Package Folder>/files/init.pid
- <Package Folder>/files/libabc
- <Package Folder>/files/mobclick_agent_cached_<Package>28
- <Package Folder>/files/push.pid
- <Package Folder>/files/run.pid
- <Package Folder>/files/tdata_nlh657.jar
- <Package Folder>/files/tdata_nlh657.tmp
- <Package Folder>/shared_prefs/ACCOUNT_SYSTEM_ACCOUNT_INFO.xml
- <Package Folder>/shared_prefs/BOOT_SMS_INFO.xml
- <Package Folder>/shared_prefs/BOOT_SMS_SENT_TIME.xml
- <Package Folder>/shared_prefs/DB_MTS.xml
- <Package Folder>/shared_prefs/QugouUser.xml
- <Package Folder>/shared_prefs/QugouUserTag.xml
- <Package Folder>/shared_prefs/UNICOM_LOG_UA.xml
- <Package Folder>/shared_prefs/VistorNo.xml
- <Package Folder>/shared_prefs/first_pref.xml
- <Package Folder>/shared_prefs/first_register.xml
- <Package Folder>/shared_prefs/jmsdk.dat.xml
- <Package Folder>/shared_prefs/jmsdk.dat.xml.bak
- <Package Folder>/shared_prefs/mgsdkfin1.xml
- <Package Folder>/shared_prefs/mgsdkfin1.xml.bak
- <Package Folder>/shared_prefs/p_config.xml
- <Package Folder>/shared_prefs/plugin_record_app_info.xml
- <Package Folder>/shared_prefs/pref_recomm.xml
- <Package Folder>/shared_prefs/pref_recomm.xml.bak
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/sp_name_config20723719.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml.bak
- <Package Folder>/shared_prefs/syndatabackup.xml
- <Package Folder>/shared_prefs/tpservices.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/version.dat.xml
- <Package Folder>/shared_prefs/wyzf_config20723719.xml
- <Package Folder>/shared_prefs/wyzf_config20723719.xml.bak
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.tpservice/####/qsha_80001_5096.jar
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3003_2274.zip
- <SD-Card>/.xo3w3D48E507A660C8D20C4236E1kfq/####/0x088fi421igd69822hwqb6r116fsh10
- <SD-Card>/.xo3w3D48E507A660C8D20C4236E1kfq/####/a05p9ote0s3aa958494i0azg083l0dj4
- <SD-Card>/.xo3w3D48E507A660C8D20C4236E1kfq/####/tg0px1c16tz98vd71lnmyvya523o6f5g
- <SD-Card>/.xo3w3D48E507A660C8D20C4236E1kfq/user.sys
- <SD-Card>/<Package>/####/TYDSETTING
- <SD-Card>/<Package>/####/f42a2f3be7be22d7413a108337d7f9e0
- <SD-Card>/libs/<Package>.db
- <SD-Card>/libs/app.db
- <SD-Card>/libs/com.getui.sdk.deviceId.db
- <SD-Card>/libs/com.igexin.sdk.deviceId.db
- <SD-Card>/system/####/tdata_nlh657
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.cnvubcf.zcgzsy/files/gdaemon_20161017 0 com.cnvubcf.zcgzsy/com.igexin.sdk.PushService 24836 300 0
- <dexopt>
- cat /proc/version
- cat /sys/block/mmcblk0/device/cid
- chmod 700 /data/data/com.cnvubcf.zcgzsy/files/gdaemon_20161017
- chmod 700 <Package Folder>/files/gdaemon_20161017
- sh <Package Folder>/files/gdaemon_20161017 0 <Package>/com.igexin.sdk.PushService 24836 300 0
