Android.SmsSend.21304

Technical information

Malicious functions:

Sends SMS messages:

106575206321505460: dyl#null,<IMEI>,6000076-1-142-exo_nsxss_1-0
106904006189121: myqxt<IMSI>
10691009: @8DYL#null,<IMEI>,6000076-1-142-exo_nsxss_1-0
106912114516416: <IMSI>A
12306: 999

Executes code of the following detected threats:

Android.Exploit.52
Android.SmsSend.21072
Android.Triada.170
Android.Triada.235.origin
Android.Triada.247.origin
Android.Triada.248.origin
Tool.SilentInstaller.3.origin

Gains access to the ITelephony private interface.

Intercepts incoming SMS messages and terminates the process of their transmission to handlers of other applications.

Network activity:

Connecting to:

1####.####.102:1234
a####.####.com:12580
col####.####.com
d####.####.com
d####.####.com:8080
h####.####.com
huangda####.com
m####.####.com
p####.####.com
p####.####.com:7820
pass####.####.cn
pus####.####.cn
s####.####.com
t####.####.com
up####.####.info
up####.####.info:6020

HTTP GET requests:

1####.####.102:1234/plugin_VA4.2.13.jar
a####.####.com:12580/log2?c=####
d####.####.com/upload/plugin/net.tt.plugin.myadv_p20170525153846
d####.####.com:8080/upload/plugin/net.tt.plugin.utadv_p20170707095714
h####.####.com/v.gif?ct=####&logFrom=####&cst=####&logInfo=####&logExtra...
huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
m####.####.com/static/tj.gif?time=####
p####.####.com/?igtcmd%####
pass####.####.cn/client/authRequest
pus####.####.cn/czfiles/uap
s####.####.com/GetFeeData.aspx
s####.####.com/SdkNotity.aspx?i=####&v=####&c=####&av=####&dm=####&t=###...
s####.####.com/common/openjs/openBox.js?_v=####
s####.####.com/static/wiseindex/img/w_icon2.png
t####.####.com/it/u=2417804973,22071572&fm=173&s=61A2D8595EE093661809EC0...

HTTP POST requests:

col####.####.com/pay-sms-access//getAccessPayChannel.json
p####.####.com:7820/
up####.####.info/
up####.####.info:6020/

Modified file system:

Creates the following files:

<Package Folder>/Plugin/####/3e13784d-90cb-420c-b25a-643f358851e4.zip
<Package Folder>/Plugin/####/57CSXG4AkRf8mBYZ.zip
<Package Folder>/Plugin/####/67FrdcF4gl2hImERCnpAug==.new
<Package Folder>/Plugin/####/9d7a8faa-eb71-440d-acad-46c610d4f1bc.tmp
<Package Folder>/Plugin/####/DATA_DB-journal
<Package Folder>/Plugin/####/KooVrmclnZxDD3BodBEzDw==.new
<Package Folder>/Plugin/####/OcSDK_statistics_prom-journal
<Package Folder>/Plugin/####/Signature_0.key
<Package Folder>/Plugin/####/appStatus.xml
<Package Folder>/Plugin/####/base-1.apk
<Package Folder>/Plugin/####/base-1.dex
<Package Folder>/Plugin/####/config.xml
<Package Folder>/Plugin/####/d3fb719a-8e47-49b8-b80e-33736d652cf0.zip
<Package Folder>/Plugin/####/data.dat.tmp
<Package Folder>/Plugin/####/eOaNAKS7ZFL-EL5m7K1DVQ==
<Package Folder>/Plugin/####/edd7b088-f9fc-4981-995d-6178e5c51d9a.zip
<Package Folder>/Plugin/####/libgoldcoast.so
<Package Folder>/Plugin/####/n2-lXTPq9At8Dxrw
<Package Folder>/Plugin/####/ocean_primary_ad_sp.xml
<Package Folder>/Plugin/####/p_config.xml
<Package Folder>/Plugin/####/plugin.jar
<Package Folder>/Plugin/####/pretw.xml
<Package Folder>/Plugin/####/rdata_commanyanxinapk.new
<Package Folder>/Plugin/####/recordInfo-journal
<Package Folder>/Plugin/####/smsJx_v4.xml
<Package Folder>/Plugin/####/sy_pay_config.xml
<Package Folder>/Plugin/####/sy_pay_config.xml.bak (deleted)
<Package Folder>/Plugin/####/sy_pay_record-journal
<Package Folder>/Plugin/####/teakuw_f.zip
<Package Folder>/Plugin/####/twc.xml
<Package Folder>/Plugin/####/update.db
<Package Folder>/Plugin/####/update.db-journal
<Package Folder>/Plugin/####/webview.db-journal
<Package Folder>/Plugin/####/wochi_v4.db-journal
<Package Folder>/app_payload_lib/done
<Package Folder>/app_payload_lib/libcocos2dcpp.so
<Package Folder>/app_payload_lib/libcrypt_sign.so
<Package Folder>/app_payload_lib/libgoldcoast.so
<Package Folder>/app_payload_lib/libkjOnlinePay.so
<Package Folder>/cache/####/data_0
<Package Folder>/cache/####/data_1
<Package Folder>/cache/####/data_2
<Package Folder>/cache/####/data_3
<Package Folder>/cache/####/f_000001
<Package Folder>/cache/####/f_000002
<Package Folder>/cache/####/f_000003
<Package Folder>/cache/####/f_000004
<Package Folder>/cache/####/f_000005
<Package Folder>/cache/####/f_000006
<Package Folder>/cache/####/f_000007
<Package Folder>/cache/####/f_000008
<Package Folder>/cache/####/f_000009
<Package Folder>/cache/####/f_00000a
<Package Folder>/cache/####/f_00000b
<Package Folder>/cache/####/f_00000c
<Package Folder>/cache/####/f_00000d
<Package Folder>/cache/####/f_00000e
<Package Folder>/cache/####/f_00000f
<Package Folder>/cache/####/f_000010
<Package Folder>/cache/####/f_000011
<Package Folder>/cache/####/f_000012
<Package Folder>/cache/####/f_000013
<Package Folder>/cache/####/f_000014
<Package Folder>/cache/####/f_000015
<Package Folder>/cache/####/f_000016
<Package Folder>/cache/####/f_000017
<Package Folder>/cache/####/f_000018
<Package Folder>/cache/####/f_000019
<Package Folder>/cache/####/f_00001a
<Package Folder>/cache/####/f_00001b
<Package Folder>/cache/####/f_00001c
<Package Folder>/cache/####/f_00001d
<Package Folder>/cache/####/f_00001e
<Package Folder>/cache/####/f_00001f
<Package Folder>/cache/####/index
<Package Folder>/databases/webview.db-journal
<Package Folder>/databases/webviewCookiesChromium.db-journal
<Package Folder>/files/0fbe2c48.apk
<Package Folder>/files/dp.apk
<Package Folder>/files/fbb095988463206041046531b964d736.apk
<Package Folder>/files/net.tt.plugin.damai.apk
<Package Folder>/files/net.tt.plugin.miwan (deleted)
<Package Folder>/files/net.tt.plugin.miwan.apk
<Package Folder>/files/net.tt.plugin.myadv (deleted)
<Package Folder>/files/net.tt.plugin.myadv.apk
<Package Folder>/files/net.tt.plugin.mysdk (deleted)
<Package Folder>/files/net.tt.plugin.mysdk.apk
<Package Folder>/files/net.tt.plugin.shangan (deleted)
<Package Folder>/files/net.tt.plugin.shangan.apk
<Package Folder>/files/net.tt.plugin.taiku.apk
<Package Folder>/files/net.tt.plugin.utadv (deleted)
<Package Folder>/files/net.tt.plugin.utadv.apk
<Package Folder>/files/net.tt.plugin.yiyou (deleted)
<Package Folder>/files/net.tt.plugin.yiyou.apk
<Package Folder>/files/net.tt.plugin.yufeng.apk
<Package Folder>/files/net.tt.plugin.zhongzhi.apk
<Package Folder>/files/u.apk
<Package Folder>/shared_prefs/session.xml
<SD-Card>/.d080d3a37b0be7bc7c15c0a5ac76bc64/####/c7709590-280c-4186-9419-5689bc5d2425.zip
<SD-Card>/.d080d3a37b0be7bc7c15c0a5ac76bc64/.config
<SD-Card>/.tpservice/####/qsha_80001_5096.jar
<SD-Card>/.twservice/####/tw
<SD-Card>/.twservice/qshp_3003_2272.zip
<SD-Card>/com.zckj.files/u.apk

Miscellaneous:

Executes next shell scripts:

/data/data/vsc.ghxklcevun.jexovsz.aqolugcpt/Plugin/net.tt.plugin.utadv/data/net.tt.plugin.utadv/code-2897417/98yrN6pnyVgK_kW9 -p net.tt.plugin.utadv -c com.manyanxin.apk.vuvug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
/system/bin/netcfg
cat /proc/version
cat /sys/block/mmcblk0/device/cid
chmod -R 755 /data/data/vsc.ghxklcevun.jexovsz.aqolugcpt/Plugin
chmod -R 755 <Package Folder>/Plugin
sh <Package Folder>/Plugin/net.tt.plugin.utadv/data/net.tt.plugin.utadv/code-2897417/98yrN6pnyVgK_kW9 -p net.tt.plugin.utadv -c com.manyanxin.apk.vuvug.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung

Loads the following dynamic libraries:

imsjdewr
puqkesrc

Uses the following algorithms to encrypt data:

DES-ECB-NoPadding
RSA-ECB-PKCS1Padding

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding
DES
DES-ECB-NoPadding

Gains access to geolocation.

Gains access to network information.

Gains access to telephone information (number, imei, etc.).

Gains access to information about installed applications.

Gains access to information about running applications.

Adds tasks to the system scheduler.

Displays its own windows over windows of other applications.

Parses information from SMS messages.

Gains access to information about sent/received SMS messages.

Technologies

Begriffe

Schulung und Training

Mythen

Technical information

Curing recommendations

Free trial