Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 12114516416: <IMSI>A
- 12114: <IMSI>A
Загружает на исполнение код следующих детектируемых угроз:
- Android.SmsSend.11446
- Android.SmsSend.1848.origin
- Android.SmsSend.1848.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.SmsSend.11446
- Android.SmsSend.1848.origin
- Android.SmsSend.1848.origin
Сетевая активность:
Подключается к:
- 1####.####.111
- 1####.####.111:8001
- 1####.####.56
- 1####.####.56:9039
- 1####.####.78
- 1####.####.78:18080
- 754####.####.com
- a####.####.com
- c####.####.com
- cdn10####.####.com
- f####.####.cn
- f####.####.cn:8090
- i####.####.com
- s####.####.cn
- s####.####.com
- tb####.com
- ut####.cn
- ut####.cn:8080
- x####.####.cn
Запросы HTTP GET:
- 1####.####.111/APP/GetFeePoint.aspx
- 1####.####.111:8001/APP/AppTask.aspx
- 1####.####.56/gamesit/jysdk/initsdk?os_info=####&os_model=####&net_info=...
- 1####.####.56:9039/gamesit/puinit/data
- 754####.####.com/api7tbkj/getAdsOftbkjApi.php?imei=####&appkey=####&prov...
- c####.####.com/api/count.php?imei=####&channelid=####&imsi=####&code=###...
- c####.####.com/uad/1.2.0/x86/uda
- cdn10####.####.com/1000su/app/xiuxiukanpian.png
- f####.####.cn/phoneget?cpid=####&ismi=####&calltime=####&callcount=####&...
- f####.####.cn:8090/getjar?cpid=####&packagename=####&ismi=####&version_c...
- s####.####.cn/getconfig.aspx?
- s####.####.com/versioncheck.aspx?
- tb####.com/image/nv01.jpg
Запросы HTTP POST:
- 1####.####.78/f_api/LogController/logs?message=####
- 1####.####.78:18080/f_api/MsgController/getIpAddr
- a####.####.com/app_logs
- i####.####.com//service/getIpInfo.php?ip=####
- ut####.cn/excalibur/avalon/sdk/pay.aspx
- ut####.cn:8080/excalibur/avalon/sdk/init.aspx
- x####.####.cn/sdkServer/pay
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/EOZTzhVG.jar
- <Package Folder>/app_dex/utopay.jar
- <Package Folder>/app_dex/utopay_close.png
- <Package Folder>/app_dex/utopay_icon.gif
- <Package Folder>/baea/entrance.jar
- <Package Folder>/baea/mapa.jar
- <Package Folder>/cache/####/1496212861320
- <Package Folder>/databases/MA_epay_db
- <Package Folder>/databases/MA_epay_db-journal
- <Package Folder>/databases/bil_db
- <Package Folder>/databases/bil_db-journal
- <Package Folder>/databases/database-journal
- <Package Folder>/databases/sms_db
- <Package Folder>/databases/sms_db-journal
- <Package Folder>/databases/utopay.db
- <Package Folder>/databases/utopay.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/xl_thirdpay.db
- <Package Folder>/databases/xl_thirdpay.db-journal
- <Package Folder>/files/####/libcrypt_sign.so
- <Package Folder>/files/####/libcryptooperad.so
- <Package Folder>/files/####/libkjOnlinePay.so
- <Package Folder>/files/####/libplugin_phone.so
- <Package Folder>/files/####/libus.so
- <Package Folder>/files/cfg.data
- <Package Folder>/files/mj.apk
- <Package Folder>/files/mobclick_agent_cached_<Package>
- <Package Folder>/files/update.jar
- <Package Folder>/libus.lock
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml.bak
- <Package Folder>/shared_prefs/MYYR.xml
- <Package Folder>/shared_prefs/data.xml
- <Package Folder>/shared_prefs/edition.xml
- <Package Folder>/shared_prefs/ma_call.xml
- <Package Folder>/shared_prefs/ma_call.xml.bak
- <Package Folder>/shared_prefs/ma_epay_share.xml
- <Package Folder>/shared_prefs/ma_phone.xml
- <Package Folder>/shared_prefs/ma_phone.xml.bak
- <Package Folder>/shared_prefs/mobclick_agent_header_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_state_<Package>.xml
- <Package Folder>/shared_prefs/mobclick_agent_state_<Package>.xml.bak
- <Package Folder>/shared_prefs/new_vvsion.xml
- <Package Folder>/shared_prefs/ui.xml
- <Package Folder>/shared_prefs/ui.xml.bak
- <Package Folder>/shared_prefs/wb.xml
- <Package Folder>/shared_prefs/yunchao_sp.xml
- <Package Folder>/shared_prefs/yunchao_sp.xml.bak
- <Package Folder>/shared_prefs/zhangpay_share.xml
- <Package Folder>/shared_prefs/zhangpay_share.xml.bak
- <Package Folder>/shared_prefs/zhangpay_sms_info.xml
- <Package Folder>/shared_prefs/zhangpay_sms_info.xml.bak
- <SD-Card>/.yrdata/GG_50008_v3.0.apk_tmp
- <SD-Card>/.yrdata/a8591d0da3ab4417a4613d66e183d43c.pngdm
- <SD-Card>/.yrdata/aikantv.pngdm
- <SD-Card>/.yrdata/daoguoshipin.pngdm
- <SD-Card>/.yrdata/jskb.pngdm
- <SD-Card>/.yrdata/meinvboke.pngdm
- <SD-Card>/.yrdata/miyingshipin.pngdm
- <SD-Card>/.yrdata/xiuxiukanpian.pngdm
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/journal.tmp
- <SD-Card>/gooogle/userid.cfg
Другие:
Запускает следующие shell-скрипты:
- <dexopt>
- getprop apps.customerservice.device
