Android.SmsSpy.6254

Техническая информация

Вредоносные функции:

Загружает на исполнение код следующих детектируемых угроз:

Android.DownLoader.600.origin
Android.SmsSpy.677.origin

Сетевая активность:

Подключается к:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) aexcep####.b####.qq.com:8012
TCP(HTTP/1.1) and####.b####.qq.com:80
TCP(HTTP/1.1) 88####.net:88
TCP(HTTP/1.1) int.d####.s####.####.cn:80
TCP(HTTP/1.1) a####.b####.qq.com:8011
TCP(HTTP/1.1) cdn.disp####.spcd####.com:80
TCP(HTTP/1.1) p4####.b0.upa####.com:80

Запросы DNS:

1####.i####.com
88####.net
a####.b####.qq.com
aexcep####.b####.qq.com
and####.b####.qq.com
int.d####.s####.####.cn
p4####.b0.upa####.com

Запросы HTTP GET:

cdn.disp####.spcd####.com/ic.asp
int.d####.s####.####.cn/iplookup/iplookup.php?format=####
p4####.b0.upa####.com/web/ng/201612/111/360u3ODP.apk
p4####.b0.upa####.com/web/ng/201612/111/c/icon.jpg
p4####.b0.upa####.com/web/ng/201612/111/c/pic0.jpg
p4####.b0.upa####.com/web/ng/201709/455/2345SCa0S_292293.apk
p4####.b0.upa####.com/web/ng/201709/455/c/icon.png
p4####.b0.upa####.com/web/ng/201709/455/c/pic0.jpg
p4####.b0.upa####.com/web/ng/201710/484/MagictceuL.apk
p4####.b0.upa####.com/web/ng/201710/484/c/icon.png
p4####.b0.upa####.com/web/ng/201710/484/c/pic0.jpg

Запросы HTTP POST:

88####.net:88/game/centerbanner2.do?ver=####
88####.net:88/game/open.do
88####.net:88/game/start.do?ver=####
a####.b####.qq.com:8011/rqd/async
aexcep####.b####.qq.com:8012/rqd/async
and####.b####.qq.com/rqd/async

Изменения в файловой системе:

Создает следующие файлы:

<Package Folder>/cache/833696ca70b46c69cce931738f21d402.jar
<Package Folder>/databases/bugly_db_legu-journal
<Package Folder>/databases/download.db
<Package Folder>/databases/download.db-journal
<Package Folder>/databases/twsdk.db
<Package Folder>/databases/twsdk.db-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/files/####/1chg_b_ok0.png
<Package Folder>/files/####/2chg_b_ok0.png
<Package Folder>/files/####/3chg_b_ok0.png
<Package Folder>/files/####/GameLayer.csb
<Package Folder>/files/####/GiftLayer.csb
<Package Folder>/files/####/HelpLayer.csb
<Package Folder>/files/####/ImageFile.png
<Package Folder>/files/####/InfoLayer.csb
<Package Folder>/files/####/MainLayer.csb
<Package Folder>/files/####/ShopItemNode.csb
<Package Folder>/files/####/ShopLayer.csb
<Package Folder>/files/####/SkyPayInfo.xml
<Package Folder>/files/####/Sprite.png
<Package Folder>/files/####/TextAtlas.png
<Package Folder>/files/####/about_str.jpg
<Package Folder>/files/####/baidu
<Package Folder>/files/####/bg_cover.mp3
<Package Folder>/files/####/chg_b_cl.png
<Package Folder>/files/####/chg_b_ok0.png
<Package Folder>/files/####/chg_b_ok1.png
<Package Folder>/files/####/chg_gift0.png
<Package Folder>/files/####/chg_gift1.png
<Package Folder>/files/####/chg_gift2.png
<Package Folder>/files/####/chg_gift3.png
<Package Folder>/files/####/chg_gift4.png
<Package Folder>/files/####/chg_gift5.png
<Package Folder>/files/####/chg_gift6.png
<Package Folder>/files/####/chg_gift7.png
<Package Folder>/files/####/chg_gift8.png
<Package Folder>/files/####/chg_gift9.png
<Package Folder>/files/####/chg_kefu.png
<Package Folder>/files/####/chg_yuan.png
<Package Folder>/files/####/coin_y.png
<Package Folder>/files/####/coin_yuan.png
<Package Folder>/files/####/cover.jpg
<Package Folder>/files/####/cover_b0.png
<Package Folder>/files/####/cover_b1.png
<Package Folder>/files/####/cover_b2.png
<Package Folder>/files/####/cover_b3.png
<Package Folder>/files/####/cover_b4.png
<Package Folder>/files/####/cover_b5.png
<Package Folder>/files/####/cover_b6.png
<Package Folder>/files/####/cover_b8.png
<Package Folder>/files/####/cover_name.png
<Package Folder>/files/####/ef_burst.mp3
<Package Folder>/files/####/ef_button0.mp3
<Package Folder>/files/####/ef_fail.mp3
<Package Folder>/files/####/ef_kill.mp3
<Package Folder>/files/####/ef_succ.mp3
<Package Folder>/files/####/icon_coin.png
<Package Folder>/files/####/mall_b_all_01.png
<Package Folder>/files/####/mall_b_all_02.png
<Package Folder>/files/####/mall_b_close.png
<Package Folder>/files/####/mall_b_gold_add.png
<Package Folder>/files/####/mall_b_gold_bg.png
<Package Folder>/files/####/mall_b_got_01.png
<Package Folder>/files/####/mall_b_got_02.png
<Package Folder>/files/####/mall_bg.jpg
<Package Folder>/files/####/mall_skin_achi.png
<Package Folder>/files/####/mall_skin_bg0.png
<Package Folder>/files/####/mall_skin_bg1.png
<Package Folder>/files/####/mall_skin_btn0.png
<Package Folder>/files/####/mall_skin_btn1.png
<Package Folder>/files/####/mall_skin_btn2.png
<Package Folder>/files/####/mall_skin_btn3.png
<Package Folder>/files/####/mall_skin_locked.png
<Package Folder>/files/####/mall_skin_names.png
<Package Folder>/files/####/mall_title.png
<Package Folder>/files/####/mall_title_bg.png
<Package Folder>/files/####/num1.png
<Package Folder>/files/####/num10.png
<Package Folder>/files/####/num11.png
<Package Folder>/files/####/num2.png
<Package Folder>/files/####/num4.png
<Package Folder>/files/####/num5.png
<Package Folder>/files/####/num8.png
<Package Folder>/files/####/num9.png
<Package Folder>/files/####/over_b_back.png
<Package Folder>/files/####/over_b_replay.png
<Package Folder>/files/####/over_bg.png
<Package Folder>/files/####/over_title.png
<Package Folder>/files/####/particle_shape.png
<Package Folder>/files/####/pass_title.png
<Package Folder>/files/####/pause_b_0.png
<Package Folder>/files/####/pause_b_1.png
<Package Folder>/files/####/pause_b_2.png
<Package Folder>/files/####/pause_bg.png
<Package Folder>/files/####/run_b_burst.png
<Package Folder>/files/####/run_b_grow.png
<Package Folder>/files/####/run_b_invi.png
<Package Folder>/files/####/run_b_pause.png
<Package Folder>/files/####/run_bg.png
<Package Folder>/files/####/run_move_panel.png
<Package Folder>/files/####/run_move_point.png
<Package Folder>/files/####/run_rank_title.png
<Package Folder>/files/####/run_rank_top.png
<Package Folder>/files/####/run_score.png
<Package Folder>/files/####/setting_bg.png
<Package Folder>/files/####/setting_close.png
<Package Folder>/files/####/setting_sel.png
<Package Folder>/files/####/skin.plist
<Package Folder>/files/####/skin.png
<Package Folder>/files/####/skin_invi_bg.png
<Package Folder>/files/####/skin_invi_deco.plist
<Package Folder>/files/####/skin_invi_deco.png
<Package Folder>/files/####/skin_player_name.png
<Package Folder>/files/####/snake_Skin_1.png
<Package Folder>/files/####/snake_Skin_10.png
<Package Folder>/files/####/snake_Skin_11.png
<Package Folder>/files/####/snake_Skin_12.png
<Package Folder>/files/####/snake_Skin_13.png
<Package Folder>/files/####/snake_Skin_14.png
<Package Folder>/files/####/snake_Skin_15.png
<Package Folder>/files/####/snake_Skin_16.png
<Package Folder>/files/####/snake_Skin_17.png
<Package Folder>/files/####/snake_Skin_2.png
<Package Folder>/files/####/snake_Skin_3.png
<Package Folder>/files/####/snake_Skin_4.png
<Package Folder>/files/####/snake_Skin_5.png
<Package Folder>/files/####/snake_Skin_6.png
<Package Folder>/files/####/snake_Skin_7.png
<Package Folder>/files/####/snake_Skin_8.png
<Package Folder>/files/####/snake_Skin_9.png
<Package Folder>/files/####/statistic_info_bg.png
<Package Folder>/files/local_crash_lock
<Package Folder>/files/native_record_lock
<Package Folder>/files/security_info
<Package Folder>/mix.dex
<Package Folder>/shared_prefs/SP_REPLACE_CLASSLOADER_CLASS_NAME.xml
<Package Folder>/shared_prefs/sdk.xml
<Package Folder>/shared_prefs/userData.xml
<Package Folder>/tx_shell/libnfix.so
<Package Folder>/tx_shell/libshella-2.10.5.7.so
<Package Folder>/tx_shell/libufix.so
<SD-Card>/ImgCach/1d1ca0255ef0889a30b0bd5afca866bb.cach
<SD-Card>/ImgCach/39d0905aac7640878ead9cc97790f4a4.cach
<SD-Card>/ImgCach/64f683b3d456f7b058d1f50241bde0df.cach
<SD-Card>/ImgCach/69988bab8ff69a136cdbfac0efd57b5e.cach
<SD-Card>/ImgCach/7066ddc202dffeb16795ab26da5c9d84.cach
<SD-Card>/ImgCach/79c8b8eb75dc27a0f4a46c16da864da0.cach
<SD-Card>/tmp/####/1f26d4e4c212d4cad917bc73bc1cfd9a.sds
<SD-Card>/tmp/####/3277e08081eb849010f1206a8e060608.sds
<SD-Card>/tmp/####/98c309b4d0bbf2ec265b0502e1c19b63.sds

Другие:

Запускает следующие shell-скрипты:

/system/bin/sh -c getprop ro.aa.romver
/system/bin/sh -c getprop ro.board.platform
/system/bin/sh -c getprop ro.build.fingerprint
/system/bin/sh -c getprop ro.build.nubia.rom.name
/system/bin/sh -c getprop ro.build.rom.id
/system/bin/sh -c getprop ro.build.tyd.kbstyle_version
/system/bin/sh -c getprop ro.build.version.emui
/system/bin/sh -c getprop ro.build.version.opporom
/system/bin/sh -c getprop ro.gn.gnromvernumber
/system/bin/sh -c getprop ro.lenovo.series
/system/bin/sh -c getprop ro.lewa.version
/system/bin/sh -c getprop ro.meizu.product.model
/system/bin/sh -c getprop ro.miui.ui.version.name
/system/bin/sh -c getprop ro.vivo.os.build.display.id
/system/bin/sh -c type su
chmod 700 <Package Folder>/tx_shell/libnfix.so
chmod 700 <Package Folder>/tx_shell/libshella-2.10.5.7.so
chmod 700 <Package Folder>/tx_shell/libufix.so
chmod 777 /storage/emulated/0/tmp/<Package>/1f26d4e4c212d4cad917bc73bc1cfd9a.sds
chmod 777 /storage/emulated/0/tmp/<Package>/3277e08081eb849010f1206a8e060608.sds
chmod 777 /storage/emulated/0/tmp/<Package>/98c309b4d0bbf2ec265b0502e1c19b63.sds
getprop ro.aa.romver
getprop ro.board.platform
getprop ro.build.fingerprint
getprop ro.build.nubia.rom.name
getprop ro.build.rom.id
getprop ro.build.tyd.kbstyle_version
getprop ro.build.version.emui
getprop ro.build.version.opporom
getprop ro.gn.gnromvernumber
getprop ro.lenovo.series
getprop ro.lewa.version
getprop ro.meizu.product.model
getprop ro.miui.ui.version.name
getprop ro.vivo.os.build.display.id
getprop ro.yunos.version
logcat -d -v threadtime

Загружает динамические библиотеки:

Bugly
cocos2dcpp
libnfix
libshella-2.10.5.7
libufix
nfix
null
ufix

Использует специальную библиотеку для скрытия исполняемого байткода.

Осуществляет доступ к информации о телефоне (номер, imei и тд.).

Осуществляет доступ к информации о запущенных приложениях.

Отрисовывает собственные окна поверх других приложений.

Технологии

Термины

Обучение и просвещение

Мифы

Техническая информация

Рекомендации по лечению

Демо бесплатно на 14 дней