Android.SmsSend.20180

Добавлен в вирусную базу Dr.Web: 2017-06-25

Описание добавлено: 2017-06-26

Technical information

Malicious functions:

Sends SMS messages:

106575206321505460: dyl#null,<IMEI>,6000122-1-1-a91483132-0
10691009: @8DYL#null,<IMEI>,6000122-1-1-a91483132-0

Executes code of the following detected threats:

Android.Triada.226.origin
Android.Triada.248.origin

Downloads the following detected threats from the Web:

Android.Triada.226.origin
Android.Triada.248.origin

Sends data on received text messages to remote host.

Network activity:

Connecting to:

1####.####.111
1####.####.111:8001
1####.####.121:9999
1####.####.238
1####.####.238:8977
a####.####.com
col####.####.com
huangda####.com
i####.####.com:10003
o####.####.com
p####.####.com
re####.####.com
re####.####.com:10002
s####.####.com

HTTP GET requests:

1####.####.111/APP/AppTask.aspx
1####.####.111:8001/GetMobile/MatchingMobile.aspx?IMSI=####&IMEI=####&Ti...
1####.####.121:9999/SdkServer/log/exception?data=####
1####.####.238/dex/version.txt
1####.####.238:8977/dex/version.txt
huangda####.com/apk!requestApkLog.action?provider=####&reqType=####&resu...
p####.####.com/cityjson?ie=####
re####.####.com/v1/sdk/init?net_name=####&imei=####&package_name=####&sd...
re####.####.com:10002/v1/sdk/init?net_name=####&imei=####&package_name=#...

HTTP POST requests:

a####.####.com/app_logs
col####.####.com/pay-data-collect/collectAppStartUserData.json
i####.####.com:10003/v2/chis
o####.####.com/v2/get_update_time
s####.####.com/pay-sms-access//uploadSmsDetailInfo.json?

Modified file system:

Creates the following files:

<Package Folder>/app_dexlm/classes.dex
<Package Folder>/app_dexlm/classes.jar
<Package Folder>/app_tpservice/qsha_80001_5096.dex
<Package Folder>/app_twservice/tw.dex
<Package Folder>/cache/####/crash-1496212868930.log
<Package Folder>/cache/####/crash-1496212888200.log
<Package Folder>/databases/.fb
<Package Folder>/databases/.fb-journal
<Package Folder>/databases/cc.db
<Package Folder>/databases/cc.db-journal
<Package Folder>/databases/recordInfo-journal
<Package Folder>/databases/sy_pay_record-journal
<Package Folder>/databases/ua.db
<Package Folder>/databases/ua.db-journal
<Package Folder>/databases/webview.db-journal
<Package Folder>/files/####/24oC9kq5nSQDyeR9.dex
<Package Folder>/files/####/24oC9kq5nSQDyeR9.zip
<Package Folder>/files/####/HU_z1j6jnXo-gRyIG0zAVg==
<Package Folder>/files/####/NOTMY0MOJ2mAjIQUUt_Y2g==
<Package Folder>/files/####/exchangeIdentity.json
<Package Folder>/files/####/feOsRFzM_WfYm6ZQoJlYsw==
<Package Folder>/files/####/jcfqoHjWgwUU8EKz
<Package Folder>/files/####/onib_clz.jar
<Package Folder>/files/####/plus.jar
<Package Folder>/files/####/qemkaq_f.dex
<Package Folder>/files/####/qemkaq_f.zip
<Package Folder>/files/####/y5tgfdFoHLv95CR88mFlPw==.new
<Package Folder>/files/.imprint
<Package Folder>/files/1.0.1-7112.stacktrace
<Package Folder>/files/buck.conf
<Package Folder>/files/exid.dat
<Package Folder>/files/plus.dex
<Package Folder>/files/rdata_comvmnesdfw
<Package Folder>/files/rdata_comvmnesdfw.new
<Package Folder>/files/umeng_it.cache
<Package Folder>/shared_prefs/Alvin2.xml
<Package Folder>/shared_prefs/ContextData.xml
<Package Folder>/shared_prefs/jmsdk.dat.xml
<Package Folder>/shared_prefs/onlineconfig_agent_online_setting_<Package>.xml
<Package Folder>/shared_prefs/p_config.xml
<Package Folder>/shared_prefs/pretw.xml
<Package Folder>/shared_prefs/pretw.xml.bak (deleted)
<Package Folder>/shared_prefs/pz_sharedpre_cmreaderlogininfo.xml
<Package Folder>/shared_prefs/sy_pay_config.xml
<Package Folder>/shared_prefs/sy_pay_config.xml.bak
<Package Folder>/shared_prefs/tpservices.xml
<Package Folder>/shared_prefs/umeng_general_config.xml
<Package Folder>/shared_prefs/version.dat.xml
<Package Folder>/shared_prefs/zzconfig.xml
<SD-Card>/.DataStorage/ContextData.xml
<SD-Card>/.UTSystemConfig/####/Alvin2.xml
<SD-Card>/.tpservice/####/qsha_80001_5096.jar
<SD-Card>/.twservice/####/tw
<SD-Card>/.twservice/qshp_3003_2272.zip
<SD-Card>/CrashLog/WyyyCrashLog_20170531064128_2267.log

Miscellaneous:

Executes next shell scripts:

<dexopt>
cat /proc/version
cat /sys/block/mmcblk0/device/cid
sh -c cat /proc/version

Uses special library to hide executable bytecode.

Технологии

Термины

Обучение и просвещение

Мифы

Technical information

Рекомендации по лечению

Демо бесплатно на 14 дней