Technical information
Malicious functions:
Sends SMS messages:
- 106575206321505460: dyl#<IMEI>,<IMEI>,6000122-1-1-a91483080-0
- 12114: HZSY#<IMSI>
Network activity:
Connecting to:
- 1####.####.111
- 1####.####.111:8001
- 1####.####.121:9999
- 1####.####.238
- 1####.####.238:8977
- a####.####.com
- col####.####.com
- huangda####.com
- i####.####.com:10003
- mo####.####.com
- o####.####.com
- p####.####.com
- re####.####.com
- re####.####.com:10002
- s####.####.com
HTTP GET requests:
- 1####.####.111/APP/AppTask.aspx
- 1####.####.111:8001/APP/VersionCheck.aspx
- 1####.####.121:9999/SdkServer/log/exception?data=####
- 1####.####.238/dex/version.txt
- 1####.####.238:8977/dex/version.txt
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- p####.####.com/cityjson?ie=####
- re####.####.com/v1/sdk/init?net_name=####&imei=####&package_name=####&sd...
- re####.####.com:10002/v1/sdk/init?net_name=####&imei=####&package_name=#...
HTTP POST requests:
- a####.####.com/app_logs
- col####.####.com/pay-data-collect/uploadClientCrashLog.json
- i####.####.com:10003/v2/chis
- mo####.####.com/mobile-service/getOpenImsiMobilePhone.json
- o####.####.com/v2/check_config_update
- s####.####.com/pay-sms-access//getAccessPayChannel.json
Modified file system:
Creates the following files:
- <Package Folder>/app_dexlm/classes.jar
- <Package Folder>/cache/####/crash-1496213074555.log
- <Package Folder>/cache/####/crash-1496213097220.log
- <Package Folder>/cache/####/crash-1496213106893.log
- <Package Folder>/databases/.fb
- <Package Folder>/databases/.fb-journal
- <Package Folder>/databases/cc.db
- <Package Folder>/databases/cc.db-journal
- <Package Folder>/databases/recordInfo-journal
- <Package Folder>/databases/sy_pay_record-journal
- <Package Folder>/databases/ua.db
- <Package Folder>/databases/ua.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/onib_clz.jar
- <Package Folder>/files/####/plus.jar
- <Package Folder>/files/.imprint
- <Package Folder>/files/1.0.1-6443.stacktrace
- <Package Folder>/files/exid.dat
- <Package Folder>/files/noend.ini
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/hunt.conf
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/dispatch_log.xml
- <Package Folder>/shared_prefs/jmsdk.dat.xml
- <Package Folder>/shared_prefs/onlineconfig_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/p_config.xml
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/pz_sharedpre_cmreaderlogininfo.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/version.dat.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3003_2265.zip
Miscellaneous:
Executes next shell scripts:
- <dexopt>
- <error:2>
- cat /proc/version
- cat /sys/block/mmcblk0/device/cid
- getprop ro.build.product
- getprop ro.product.board
- getprop ro.product.brand
- getprop ro.product.device
- getprop ro.product.model
- sh -c cat /proc/cpuinfo
- sh -c cat /proc/tty/drivers
- sh -c ggetprop ro.hardware
- zniu -c id
Uses special library to hide executable bytecode.
