Technical information
Malicious functions:
Sends SMS messages:
- 106575206321505460: dyl#null,<IMEI>,6000182-1-70714-ZZ_default-0
- 10691009: @8DYL#null,<IMEI>,6000182-1-70714-ZZ_default-0
- 106912114516412: systemcGx1dG8yNTAwMjY2OTkxODc3NDM=
- 106912114: HZSY#<IMSI>
Executes code of the following detected threats:
- Android.SmsSend.1848.origin
- Android.SmsSend.1848.origin
- Android.SmsSend.1848.origin
- Android.SmsSend.1893.origin
- Tool.Rooter.43.origin
Downloads the following detected threats from the Web:
- Android.SmsSend.1848.origin
- Android.SmsSend.1848.origin
- Android.SmsSend.1848.origin
- Android.SmsSend.1893.origin
- Tool.Rooter.43.origin
Network activity:
Connecting to:
- 1####.####.185
- 1####.####.185:28018
- 1####.####.25
- 1####.####.25:28018
- 1####.####.4:28018
- a####.####.com
- a####.####.com:6099
- a####.####.com:8011
- a####.####.site
- a####.####.site:8090
- aexcep####.####.com
- aexcep####.####.com:8012
- and####.####.com
- huangda####.com
- l####.####.com
- p####.####.cn
- sm####.####.com
HTTP GET requests:
- 1####.####.185/update/100.zip
- 1####.####.185:28018/update/101_m.zip
- 1####.####.25/kr/krsf.jsp?m=####&a=####&e=####
- 1####.####.25:28018/kr/p.jsp?m=####&l=####
- 1####.####.4:28018/update/updateclz.zip
- a####.####.com/sunnyinit302?channel=####&imsi=####&calltime=####&callcou...
- a####.####.com:6099/sunnyinit302?channel=####&imsi=####&calltime=####&ca...
- a####.####.site/afee?cpid=####&appfee_id=####&fee=####&smsc=####&imsi=##...
- a####.####.site:8090/phoneget?cpid=####&ismi=####&calltime=####&callcoun...
- huangda####.com/active!activeLog.action?provider=####&clickId=####&manu=...
- sm####.####.com/checkVer144.php?os=####
HTTP POST requests:
- a####.####.com/app_logs
- a####.####.com:8011/rqd/async
- aexcep####.####.com/rqd/async
- aexcep####.####.com:8012/rqd/async
- and####.####.com/rqd/async
- l####.####.com/wxqk/hmAdd
- p####.####.cn/index.php/API
- sm####.####.com/pay-sms-access//uploadSmsDetailInfo.json?
Modified file system:
Creates the following files:
- <Package Folder>/app_apCoreplugn/####/plugin-20170330-2.1.9-release.bin
- <Package Folder>/app_apCoreplugn/map.apk
- <Package Folder>/app_apCoreplugn/sm.apk
- <Package Folder>/app_krsdk/__krsdk.res__
- <Package Folder>/app_krsdk/kd
- <Package Folder>/app_krsdk/krmain_1
- <Package Folder>/app_krsdk/krsdk.res
- <Package Folder>/app_krsdk/libkrsdk.1.0.154.so
- <Package Folder>/app_krsdk/mybm.dex.dex (deleted)
- <Package Folder>/app_krsdk/mybm.dex.jar
- <Package Folder>/app_krsdk/test.apk
- <Package Folder>/app_krsdk/v
- <Package Folder>/app_krsdk/zTmp3_100
- <Package Folder>/app_krsdk/zTmp3_101_m
- <Package Folder>/app_krsdk/zTmp3_running.png
- <Package Folder>/app_my_dex/entrance.dex
- <Package Folder>/app_my_dex/tmb.dex
- <Package Folder>/app_p_dex/ppj.dex
- <Package Folder>/app_plugin_dir/####/base-1.apk
- <Package Folder>/app_plugin_dir/####/base-1.dex
- <Package Folder>/app_slog/actsts
- <Package Folder>/app_tmp/dkx
- <Package Folder>/app_tmp/kx.dex
- <Package Folder>/app_tmp/tkx (deleted)
- <Package Folder>/app_tpservice/qsha_80001_5096.dex
- <Package Folder>/app_twservice/tw.dex
- <Package Folder>/baea/entrance.jar
- <Package Folder>/baea/tmb.jar
- <Package Folder>/cache/map.apk.apk
- <Package Folder>/cache/sm.apk.apk
- <Package Folder>/databases/MA_epay_db
- <Package Folder>/databases/MA_epay_db-journal
- <Package Folder>/databases/bil_db
- <Package Folder>/databases/bil_db-journal
- <Package Folder>/databases/bugly_db_legu
- <Package Folder>/databases/bugly_db_legu-journal
- <Package Folder>/databases/com.souying.pay.plugmain_sy_pay_record
- <Package Folder>/databases/com.souying.pay.plugmain_sy_pay_record-journal
- <Package Folder>/databases/mp.db
- <Package Folder>/databases/mp.db-journal
- <Package Folder>/databases/p2_epay_db
- <Package Folder>/databases/p2_epay_db-journal
- <Package Folder>/databases/recordInfo
- <Package Folder>/databases/recordInfo-journal
- <Package Folder>/databases/sm.db
- <Package Folder>/databases/sm.db-journal
- <Package Folder>/databases/sy_pay_record-journal
- <Package Folder>/databases/webview.db
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/.imprint
- <Package Folder>/files/__rbpr_c_s__
- <Package Folder>/files/__rbpr_l_s__
- <Package Folder>/files/doup32
- <Package Folder>/files/i.sh
- <Package Folder>/files/kr-stock-conf
- <Package Folder>/files/local_crash_lock (deleted)
- <Package Folder>/files/native_record_lock (deleted)
- <Package Folder>/files/security_info
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/upnpclz.apk
- <Package Folder>/files/upnpclz.dex (deleted)
- <Package Folder>/files/vercheck1
- <Package Folder>/files/zTmp
- <Package Folder>/mix.dex
- <Package Folder>/mix.so
- <Package Folder>/plda/ppj.jar
- <Package Folder>/shared_prefs/CO_SPS.xml
- <Package Folder>/shared_prefs/SL_SPS.xml
- <Package Folder>/shared_prefs/TestinAgent.xml
- <Package Folder>/shared_prefs/b_setting.xml
- <Package Folder>/shared_prefs/b_setting.xml.bak
- <Package Folder>/shared_prefs/b_share.xml
- <Package Folder>/shared_prefs/com.souying.pay.plugmain_p_config.xml
- <Package Folder>/shared_prefs/com.souying.pay.xml
- <Package Folder>/shared_prefs/cpMsg.xml
- <Package Folder>/shared_prefs/device_id.xml.xml
- <Package Folder>/shared_prefs/edition.xml
- <Package Folder>/shared_prefs/ma_call.xml
- <Package Folder>/shared_prefs/ma_call.xml.bak
- <Package Folder>/shared_prefs/ma_data.xml
- <Package Folder>/shared_prefs/ma_data.xml.bak
- <Package Folder>/shared_prefs/ma_epay_share.xml
- <Package Folder>/shared_prefs/ma_epay_share.xml.bak
- <Package Folder>/shared_prefs/ma_phone.xml
- <Package Folder>/shared_prefs/ma_phone.xml.bak
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/new_vvsion.xml
- <Package Folder>/shared_prefs/nnt_data.xml
- <Package Folder>/shared_prefs/p2_call.xml
- <Package Folder>/shared_prefs/p2_data.xml
- <Package Folder>/shared_prefs/p2_data.xml.bak
- <Package Folder>/shared_prefs/p2_edition.xml
- <Package Folder>/shared_prefs/p2_epay_share.xml
- <Package Folder>/shared_prefs/p2_epay_share.xml.bak
- <Package Folder>/shared_prefs/plugins.installed.xml
- <Package Folder>/shared_prefs/plugins.serviceMapping.xml
- <Package Folder>/shared_prefs/pre_file_name.xml
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml
- <Package Folder>/shared_prefs/sy_pay_config.xml.bak
- <Package Folder>/shared_prefs/tpservices.xml
- <Package Folder>/shared_prefs/twc.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/tx_shell/libnfix.so
- <Package Folder>/tx_shell/libshella-2.10.4.1.so
- <SD-Card>/.tpservice/####/qsha_80001_5096.jar
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3003_2274.zip
- <SD-Card>/gooogle/userid.cfg
- <SD-Card>/kr-stock-conf
- <SD-Card>/krsdk_debug.txt
Miscellaneous:
Executes next shell scripts:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/sh
- /system/bin/sh -c getprop ro.aa.romver
- /system/bin/sh -c getprop ro.board.platform
- /system/bin/sh -c getprop ro.build.fingerprint
- /system/bin/sh -c getprop ro.build.nubia.rom.name
- /system/bin/sh -c getprop ro.build.rom.id
- /system/bin/sh -c getprop ro.build.tyd.kbstyle_version
- /system/bin/sh -c getprop ro.build.version.emui
- /system/bin/sh -c getprop ro.build.version.opporom
- /system/bin/sh -c getprop ro.gn.gnromvernumber
- /system/bin/sh -c getprop ro.lenovo.series
- /system/bin/sh -c getprop ro.lewa.version
- /system/bin/sh -c getprop ro.meizu.product.model
- /system/bin/sh -c getprop ro.miui.ui.version.name
- /system/bin/sh -c getprop ro.vivo.os.build.display.id
- /system/bin/sh -c type su
- <dexopt>
- <error:2>
- cat /proc/version
- cat /sys/block/mmcblk0/device/cid
- chmod 700 /data/data/com.cqdly008.jnbodf/tx_shell/libnfix.so
- chmod 700 /data/data/com.cqdly008.jnbodf/tx_shell/libshella-2.10.4.1.so
- chmod 700 /data/data/com.cqdly008.jnbodf/tx_shell/libufix.so
- chmod 700 <Package Folder>/tx_shell/libnfix.so
- chmod 700 <Package Folder>/tx_shell/libshella-2.10.4.1.so
- chmod 700 <Package Folder>/tx_shell/libufix.so
- chmod 755 <Package Folder>/app_krsdk/krmain_1
- chmod 755 <Package Folder>/files/
- chmod 777 <Package Folder>/files/doup32
- chmod 777 <Package Folder>/files/i.sh
- chmod 777 <Package Folder>/files/vercheck1
- getprop ro.aa.romver
- getprop ro.board.platform
- getprop ro.build.fingerprint
- getprop ro.build.nubia.rom.name
- getprop ro.build.rom.id
- getprop ro.build.tyd.kbstyle_version
- getprop ro.build.version.emui
- getprop ro.build.version.opporom
- getprop ro.gn.gnromvernumber
- getprop ro.lenovo.series
- getprop ro.lewa.version
- getprop ro.meizu.product.model
- getprop ro.miui.ui.version.name
- getprop ro.product.cpu.abi
- getprop ro.product.cpu.abi2
- getprop ro.vivo.os.build.display.id
- getprop ro.yunos.version
- logcat -d -v threadtime
- ls -al /data/data/.cpd
- ls -al /data/data/.cpd/cache
- ls -al /system/bin/bootdaemon
- ls -al /system/etc/init.d/bootdaemon.sh
- ls -al /system/etc/install-recovery.sh
- ls -lZ <Package Folder>/app_krsdk/
- ps
- rm -rf <Package Folder>/app_krsdk/
- sh
Uses special library to hide executable bytecode.
