Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Tool.Rooter.43.origin
Осуществляет доступ к приватному интерфейсу телефонии (ITelephony)
Сетевая активность:
Подключается к:
- m####.####.com
- mon####.####.com
- o####.####.com
- o####.####.com:8080
- p####.####.com
- t####.####.com
Запросы HTTP GET:
- m####.####.com/gjsmall/package/1468416368813.png
- t####.####.com/wifi/cw.html
Запросы HTTP POST:
- m####.####.com/
- mon####.####.com/analytics/rqdsync
- o####.####.com/analytics/upload?sid=####
- o####.####.com:8080/analytics/upload
- p####.####.com/
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_krdir/__krsdk.res__
- <Package Folder>/app_krdir/kd
- <Package Folder>/app_krdir/krsdk.res
- <Package Folder>/app_krdir/reportroot
- <Package Folder>/app_p_icon/i_161.png
- <Package Folder>/app_p_icon/i_231.png
- <Package Folder>/app_p_lib/libQQImageCompare.so
- <Package Folder>/app_p_lib/libpathcache-1.0.0.so
- <Package Folder>/app_p_raw/PiSoftwareMarket.jar
- <Package Folder>/app_p_raw/PiVirusKiller.jar
- <Package Folder>/app_slog/actsts
- <Package Folder>/applib/kd
- <Package Folder>/cache/####/b80d68281e31e21bf9ceec7bb064ec17.0
- <Package Folder>/cache/####/journal.tmp
- <Package Folder>/databases/beacon_db
- <Package Folder>/databases/beacon_db-journal
- <Package Folder>/databases/encryptqqsecure2.db-journal
- <Package Folder>/databases/encryptqqsecure2.db-journal (deleted)
- <Package Folder>/databases/eup_db
- <Package Folder>/databases/eup_db-journal
- <Package Folder>/databases/fea_tunnel_en.db
- <Package Folder>/databases/fea_tunnel_en.db-journal
- <Package Folder>/databases/fea_tunnel_en.db-journal (deleted)
- <Package Folder>/databases/meriExt.db
- <Package Folder>/databases/meriExt.db-journal
- <Package Folder>/databases/pi_info_en.db
- <Package Folder>/databases/pi_info_en.db-journal
- <Package Folder>/databases/pi_info_en.db-journal (deleted)
- <Package Folder>/databases/qqsecure.db
- <Package Folder>/databases/qqsecure.db-journal
- <Package Folder>/files/10001.dat
- <Package Folder>/files/10002.dat
- <Package Folder>/files/10007.dat
- <Package Folder>/files/10008.dat
- <Package Folder>/files/10009.dat
- <Package Folder>/files/10010.dat
- <Package Folder>/files/10011.dat
- <Package Folder>/files/10012.dat
- <Package Folder>/files/10013.dat
- <Package Folder>/files/10014.dat
- <Package Folder>/files/10015.dat
- <Package Folder>/files/10016.dat
- <Package Folder>/files/10017.dat
- <Package Folder>/files/10018.dat
- <Package Folder>/files/10019.dat
- <Package Folder>/files/10020.dat
- <Package Folder>/files/10021.dat
- <Package Folder>/files/20001.dat
- <Package Folder>/files/30001.dat
- <Package Folder>/files/40001.dat
- <Package Folder>/files/40002.dat
- <Package Folder>/files/40004.dat
- <Package Folder>/files/40005.dat
- <Package Folder>/files/40006.dat
- <Package Folder>/files/40007.dat
- <Package Folder>/files/40008.dat
- <Package Folder>/files/40011.dat
- <Package Folder>/files/40012.dat
- <Package Folder>/files/40013.dat
- <Package Folder>/files/40015.dat
- <Package Folder>/files/40225.dat
- <Package Folder>/files/40231.dat
- <Package Folder>/files/40241.dat
- <Package Folder>/files/40248.dat
- <Package Folder>/files/40249.dat
- <Package Folder>/files/40254.dat
- <Package Folder>/files/40256.dat
- <Package Folder>/files/40268.dat
- <Package Folder>/files/40273.dat
- <Package Folder>/files/40275.dat
- <Package Folder>/files/40277.dat
- <Package Folder>/files/40280.dat
- <Package Folder>/files/40282.dat
- <Package Folder>/files/40311.dat
- <Package Folder>/files/40317.dat
- <Package Folder>/files/40350.dat
- <Package Folder>/files/40352.dat
- <Package Folder>/files/40359.dat
- <Package Folder>/files/40361.dat
- <Package Folder>/files/40385.dat
- <Package Folder>/files/40401.dat
- <Package Folder>/files/40402.sdb
- <Package Folder>/files/50001.sdb
- <Package Folder>/files/60004.dat
- <Package Folder>/files/70003.amf
- <Package Folder>/files/80001.dat
- <Package Folder>/files/Beacon_sig_1.lock
- <Package Folder>/files/ShellConfig.dat
- <Package Folder>/files/hstupd_new.dat
- <Package Folder>/files/j_dd_fl.dat
- <Package Folder>/files/kr-stock-conf
- <Package Folder>/files/krld.jar
- <Package Folder>/files/krle
- <Package Folder>/files/libkrsdk.1.0.164.so
- <Package Folder>/files/x_rb_j_al_ct_2.dat
- <Package Folder>/files/x_rp_dt_j.dat
- <Package Folder>/files/xdm
- <Package Folder>/shared_prefs/119.xml
- <Package Folder>/shared_prefs/119.xml.bak
- <Package Folder>/shared_prefs/123.xml
- <Package Folder>/shared_prefs/131.xml
- <Package Folder>/shared_prefs/133.xml
- <Package Folder>/shared_prefs/133.xml.bak
- <Package Folder>/shared_prefs/155.xml
- <Package Folder>/shared_prefs/155.xml.bak
- <Package Folder>/shared_prefs/161.xml
- <Package Folder>/shared_prefs/161.xml.bak
- <Package Folder>/shared_prefs/183.xml
- <Package Folder>/shared_prefs/261.xml
- <Package Folder>/shared_prefs/261.xml.bak
- <Package Folder>/shared_prefs/267.xml
- <Package Folder>/shared_prefs/CTP_ReportData_Common.xml
- <Package Folder>/shared_prefs/CTP_ReportData_Common.xml.bak
- <Package Folder>/shared_prefs/CardConfigDao.xml
- <Package Folder>/shared_prefs/CardConfigDao.xml.bak
- <Package Folder>/shared_prefs/ConfigInfo.xml
- <Package Folder>/shared_prefs/ConfigInfo.xml.bak
- <Package Folder>/shared_prefs/ConfigInfo.xml.bak (deleted)
- <Package Folder>/shared_prefs/DENGTA_META.xml
- <Package Folder>/shared_prefs/DENGTA_META.xml.bak
- <Package Folder>/shared_prefs/DeskAssistantSettingInfo.xml
- <Package Folder>/shared_prefs/DualSimConfigInfo.xml
- <Package Folder>/shared_prefs/DualSimConfigInfo.xml.bak
- <Package Folder>/shared_prefs/DualSimConfigInfo.xml.bak (deleted)
- <Package Folder>/shared_prefs/DualSimService.xml
- <Package Folder>/shared_prefs/MarketDao.xml
- <Package Folder>/shared_prefs/MarketDao.xml.bak
- <Package Folder>/shared_prefs/NetworkConfigDao.xml
- <Package Folder>/shared_prefs/PhoneCheckDao.xml
- <Package Folder>/shared_prefs/PhoneCheckDao.xml.bak
- <Package Folder>/shared_prefs/SettingInfo.xml
- <Package Folder>/shared_prefs/TMSPropertiesAntitheftProperty.xml
- <Package Folder>/shared_prefs/TMSPropertiesIpDialProperty.xml
- <Package Folder>/shared_prefs/TMSPropertiesNetInterfaceManager.xml
- <Package Folder>/shared_prefs/TMSPropertiesnetworkload.xml
- <Package Folder>/shared_prefs/TMSPropertiesoperator_data_sync_setting.xml
- <Package Folder>/shared_prefs/TMSPropertiestms.xml
- <Package Folder>/shared_prefs/TMSPropertieswup.xml
- <Package Folder>/shared_prefs/TMSPropertieswup.xml.bak
- <Package Folder>/shared_prefs/TempRootHelper.xml
- <Package Folder>/shared_prefs/TempRootHelper.xml.bak
- <Package Folder>/shared_prefs/WLOGIN_DEVICE_INFO.xml
- <Package Folder>/shared_prefs/WiFiSilentDownloadConfig.xml
- <Package Folder>/shared_prefs/WiFiSilentDownloadConfig.xml.bak
- <Package Folder>/shared_prefs/account_misc.xml
- <Package Folder>/shared_prefs/catfish_sdk_config.xml
- <Package Folder>/shared_prefs/catfish_sdk_config.xml.bak
- <Package Folder>/shared_prefs/check_imsi.xml
- <Package Folder>/shared_prefs/conch_cache.xml
- <Package Folder>/shared_prefs/conch_cache.xml.bak
- <Package Folder>/shared_prefs/ctfactutlsp59.xml
- <Package Folder>/shared_prefs/daemon_config.xml
- <Package Folder>/shared_prefs/daemon_config.xml.bak
- <Package Folder>/shared_prefs/daemon_config.xml.bak (deleted)
- <Package Folder>/shared_prefs/db_kg_info.xml
- <Package Folder>/shared_prefs/db_kg_info.xml.bak
- <Package Folder>/shared_prefs/dtcof.xml
- <Package Folder>/shared_prefs/fixnt.xml
- <Package Folder>/shared_prefs/freq_ctrl_profile2.xml
- <Package Folder>/shared_prefs/freq_ctrl_profile4.xml
- <Package Folder>/shared_prefs/freq_ctrl_profile5.xml
- <Package Folder>/shared_prefs/freq_ctrl_profile6.xml
- <Package Folder>/shared_prefs/kingrootsdk.xml
- <Package Folder>/shared_prefs/kv_profile_sp_name.xml
- <Package Folder>/shared_prefs/last_time.dat.xml
- <Package Folder>/shared_prefs/meri_config.xml
- <Package Folder>/shared_prefs/meri_config.xml.bak
- <Package Folder>/shared_prefs/operator_data_sync.xml
- <Package Folder>/shared_prefs/pi_cloud_config.xml
- <Package Folder>/shared_prefs/pi_history.xml
- <Package Folder>/shared_prefs/pi_processmanagerud_setting.xml
- <Package Folder>/shared_prefs/prfle_cnfg_dao.xml
- <Package Folder>/shared_prefs/process_manager_dao.xml
- <Package Folder>/shared_prefs/profile_plugin_sp_name.xml
- <Package Folder>/shared_prefs/rqd.xml
- <Package Folder>/shared_prefs/rqd.xml.bak
- <Package Folder>/shared_prefs/sk.xml
- <SD-Card>/.tmfs/.QQSecureConfig2.dat
- <SD-Card>/.tmfs/filesafe_db.sqlite
- <SD-Card>/.tmfs/filesafe_db.sqlite-journal
- <SD-Card>/.tmfs/filesafe_deamon.d
- <SD-Card>/DCIM/####/sk_g.dat
- <SD-Card>/DCIM/####/sk_v.dat
- <SD-Card>/DCIM/.probe
- <SD-Card>/QQSecureDownload/.probe
- <SD-Card>/kr-stock-conf
- <SD-Card>/tencent/####/MjAxNzA3Mjc
- <SD-Card>/tencent/####/meta.dat
- <SD-Card>/tencent/####/record.dat
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /proc/cpuinfo
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/sh -c getprop ro.board.platform
- chmod 0755 /data/user/0/<Package>/applib/kd
- chmod 0755 <Package Folder>/applib/kd
- chmod 0771 <Package Folder>/applib
- chmod 755 <Package Folder>/files/xdm
- getprop ro.board.platform
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.product.cpu.abi2
- grep xdm
- ls -lZ <Package Folder>/app_krdir/
- pgrep xdm
- pidof xdm
- ps
- ps xdm
- service list
- sh
- sh -c ps | grep xdm
- su -v
Загружает динамические библиотеки:
- Beacon
- NativeRQD
- bumblebee-1.0
- kk-1.0
- libTms2-Ams-1.4.7
- libTmsdk-2.2.0
- libkrsdk.1.0.164
- uugen-1.0
- wtecdh
- xy
Использует следующие алгоритмы для шифрования данных:
- AES
- AES-CBC-PKCS5Padding
- DES-CBC-PKCS5Padding
- RSA-ECB-PKCS1Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS5Padding
- DES-CBC-PKCS5Padding
Осуществляет доступ к интерфейсу камеры
Осуществляет доступ к информации о телефоне (номер, imei и тд.)
Осуществляет доступ к информации о настроках APN
Осуществляет доступ к информации об установленных приложениях
Осуществляет доступ к информации о запущенных приложениях
Осуществляет доступ к информации о зарегистрированных на устройстве аккаунтах (Google, Facebook и тд.)
Добавляет задания в системный планировщик
Отрисовывает собственные окна поверх других приложений
Парсит информацию из смс сообщений
Осуществляет доступ к информации о входящих/исходящих звонках
Осуществляет доступ к информации об отправленых/принятых смс
