Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 10086: 40411
- 10658000: XDQYWH
- 10658423: mvwlan,d61c557b023a5ff3c9bf9bf23fe46bb5,HZto
- 10662566: 16
Сетевая активность:
Подключается к:
- 1####.####.147
- 1####.####.91
- 1####.####.91:8080
- a####.####.com
- oa5cv####.####.com
- p####.####.com
- p####.####.com:8080
- u####.####.com
Запросы HTTP GET:
- 1####.####.147/xmld/HttpService!service?paramMap=####
- 1####.####.91/mm/HttpService!service?paramMap=####
- 1####.####.91:8080/mm/HttpService!service?paramMap=####
- oa5cv####.####.com/ic_huobao.png
- p####.####.com/ADicon/ic_tcsy.png
- p####.####.com:8080/sdk/spaycoredex_so_1990.jar
- u####.####.com/apka/q300132.apk
Запросы HTTP POST:
- a####.####.com/app_logs
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_payload_odex/<Package>.jar
- <Package Folder>/app_process_lock/1122147952942.35
- <Package Folder>/app_process_lock/1122147952942.35 (deleted)
- <Package Folder>/app_process_lock/1122147952998.06
- <Package Folder>/app_process_lock/1122147952998.06 (deleted)
- <Package Folder>/app_process_lock/1122147953050.87
- <Package Folder>/app_process_lock/1122147953050.87 (deleted)
- <Package Folder>/app_process_lock/1122147953128.23
- <Package Folder>/app_process_lock/1122147953128.23 (deleted)
- <Package Folder>/app_process_lock/1122147953311.42
- <Package Folder>/app_process_lock/1122147953311.42 (deleted)
- <Package Folder>/app_process_lock/1122147953325.78
- <Package Folder>/app_process_lock/1122147953325.78 (deleted)
- <Package Folder>/app_process_lock/1122147953909.77
- <Package Folder>/app_process_lock/1122147953909.77 (deleted)
- <Package Folder>/app_process_lock/1122147953969.58
- <Package Folder>/app_process_lock/1122147953969.58 (deleted)
- <Package Folder>/app_process_lock/161.918512514603
- <Package Folder>/app_process_lock/161.918512514603 (deleted)
- <Package Folder>/app_process_lock/2325844481260.84 (deleted)
- <Package Folder>/app_process_lock/2325844482802.59
- <Package Folder>/app_process_lock/2325844482802.59 (deleted)
- <Package Folder>/app_process_lock/2325844484358.63
- <Package Folder>/app_process_lock/2325844484358.63 (deleted)
- <Package Folder>/app_process_lock/2325844484931.09
- <Package Folder>/app_process_lock/2325844484931.09 (deleted)
- <Package Folder>/app_process_lock/2325844487129.39
- <Package Folder>/app_process_lock/2325844487129.39 (deleted)
- <Package Folder>/app_process_lock/2325844487221.72
- <Package Folder>/app_process_lock/2325844487221.72 (deleted)
- <Package Folder>/app_process_lock/2325844490835.5
- <Package Folder>/app_process_lock/2325844490835.5 (deleted)
- <Package Folder>/app_process_lock/2325844491302.7
- <Package Folder>/app_process_lock/2325844491302.7 (deleted)
- <Package Folder>/app_process_lock/261209524810.474
- <Package Folder>/app_process_lock/261209524810.474 (deleted)
- <Package Folder>/app_process_lock/261209524983.624
- <Package Folder>/app_process_lock/261209524983.624 (deleted)
- <Package Folder>/app_process_lock/261209525158.379
- <Package Folder>/app_process_lock/261209525158.379 (deleted)
- <Package Folder>/app_process_lock/261209525222.671
- <Package Folder>/app_process_lock/261209525222.671 (deleted)
- <Package Folder>/app_process_lock/261209525469.556
- <Package Folder>/app_process_lock/261209525469.556 (deleted)
- <Package Folder>/app_process_lock/261209525479.925
- <Package Folder>/app_process_lock/261209525479.925 (deleted)
- <Package Folder>/app_process_lock/261209525885.779
- <Package Folder>/app_process_lock/261209525885.779 (deleted)
- <Package Folder>/app_process_lock/261209525938.249
- <Package Folder>/app_process_lock/261209525938.249 (deleted)
- <Package Folder>/app_process_lock/2965451739609.53
- <Package Folder>/app_process_lock/2965451739609.53 (deleted)
- <Package Folder>/app_process_lock/2965451739756.76
- <Package Folder>/app_process_lock/2965451739756.76 (deleted)
- <Package Folder>/app_process_lock/2965451739896.3
- <Package Folder>/app_process_lock/2965451739896.3 (deleted)
- <Package Folder>/app_process_lock/2965451740100.74
- <Package Folder>/app_process_lock/2965451740100.74 (deleted)
- <Package Folder>/app_process_lock/2965451740584.84
- <Package Folder>/app_process_lock/2965451740584.84 (deleted)
- <Package Folder>/app_process_lock/2965451740622.81
- <Package Folder>/app_process_lock/2965451740622.81 (deleted)
- <Package Folder>/app_process_lock/2965451742166.08
- <Package Folder>/app_process_lock/2965451742166.08 (deleted)
- <Package Folder>/app_process_lock/2965451742324.13
- <Package Folder>/app_process_lock/2965451742324.13 (deleted)
- <Package Folder>/app_process_lock/524125.03940853
- <Package Folder>/app_process_lock/524125.03940853 (deleted)
- <Package Folder>/app_process_lock/524125.339863105
- <Package Folder>/app_process_lock/524125.339863105 (deleted)
- <Package Folder>/app_process_lock/668266.292786374
- <Package Folder>/app_process_lock/668266.292786374 (deleted)
- <Package Folder>/app_process_lock/690287085337.575 (deleted)
- <Package Folder>/app_process_lock/690287085795.151
- <Package Folder>/app_process_lock/690287085795.151 (deleted)
- <Package Folder>/app_process_lock/690287086256.968
- <Package Folder>/app_process_lock/690287086256.968 (deleted)
- <Package Folder>/app_process_lock/690287086426.868
- <Package Folder>/app_process_lock/690287086426.868 (deleted)
- <Package Folder>/app_process_lock/690287087079.302
- <Package Folder>/app_process_lock/690287087079.302 (deleted)
- <Package Folder>/app_process_lock/690287087106.703
- <Package Folder>/app_process_lock/690287087106.703 (deleted)
- <Package Folder>/app_process_lock/690287088179.236
- <Package Folder>/app_process_lock/690287088179.236 (deleted)
- <Package Folder>/app_process_lock/690287088317.896
- <Package Folder>/app_process_lock/690287088317.896 (deleted)
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/xUtils_http_cache.db
- <Package Folder>/databases/xUtils_http_cache.db-journal
- <Package Folder>/databases/xUtils_http_cache.db-journal (deleted)
- <Package Folder>/databases/xUtils_http_cookie.db
- <Package Folder>/databases/xUtils_http_cookie.db-journal
- <Package Folder>/databases/xUtils_http_cookie.db-journal (deleted)
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/.imprint
- <Package Folder>/files/exid.dat
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/pay.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/Android/####/052ba33096843816e27148509d051eea
- <SD-Card>/Android/####/14bef6fb7b8f894e04145ac27665f6d7
- <SD-Card>/Android/####/292044569eeb4d7b92f05539d6eade8c
- <SD-Card>/Android/####/49cf1c9a8a0e60553334622cb32b19cf
- <SD-Card>/Android/####/557ef0ac9349a96d0cf53407d8be787e
- <SD-Card>/Android/####/691dcf94a7e8ee11c42ea17b46839515
- <SD-Card>/Android/####/a24707c6393c405b9f91c132f79b9378
- <SD-Card>/Android/####/aeb9bd2d3dac71f148448f9dec727cc6
- <SD-Card>/Android/####/b031cfd49807b1503a541a4f6dc7414d
- <SD-Card>/Android/####/b25935247c0f05a02e2ec39b9c0fcb56
- <SD-Card>/Android/####/ba91b1abe79d793f7cb219d672d031c0
- <SD-Card>/Android/####/c731664123d180db9414931381cb353c
- <SD-Card>/Android/####/cf90ac6fc237e7772a0017196fa6d7ae
- <SD-Card>/Android/####/dc1300370cbcc6be21586de5d2eaaeff
- <SD-Card>/Android/####/e133653a550bb1fd6d6ef096c47ab49a
- <SD-Card>/Android/####/ecba2c765b4b573ada8b9d232aa1c712
- <SD-Card>/Android/com.exga.sielzy.apk.tmp
- <SD-Card>/Android/com.exga.sielzy.png.tmp
- <SD-Card>/Android/com.mmzb.wrw.yol.png.tmp
- <SD-Card>/dp.jar.tmp
- <SD-Card>/updateApkDemo/FrameCore.jar
Другие:
Запускает следующие shell-скрипты:
- <dexopt>
- <su-internal:request>
- <su-internal:result>
- app_process /system/bin com.android.commands.pm.Pm install -r /system/app/com.exga.sielzy.apk
- chmod 644 /system/app/com.exga.sielzy.apk
- cp /storage/emulated/0/Android/com.exga.sielzy.apk /system/app/
- sh
- su
Использует повышенные привилегии.
