本帖最后由 神迹般存在 于 2016-1-21 20:06 编辑
这是我在同学群上截获的样本!十分危险,现在还在广泛传播!Android样本一枚,各位来玩玩。
下载链接:http://url.cn/WsgEdz(解压密码:infected)
VT分析:https://www.virustotal.com/zh-cn ... nalysis/1453375523/
哈勃高级用户分析结果:
[mw_shl_code=css,true]基本信息
文件名称:
mk4.apk
MD5值: 07af2c9a16c26a9c1f4a11c0aa932b85
文件大小: 2.75MB
上传时间: 2016-01-21 19:52:03
包名: com.netway.gamehelper
最低运行环境: Android 2.2.x
版权:
NetWay
图标:
网络行为
行为描述: 访问网络
详情信息:
host:42.96.251.144 port:80
行为描述: 获取网络状态信息
详情信息:
NetworkInfo: type: WIFI[], state: CONNECTED/CONNECTED, reason: (unspecified), extra: freewifi, roaming: false, failover: false, isAvailable: true
NetworkInfo: type: mobile[UMTS], state: DISCONNECTED/DISCONNECTED, reason: dataDisabled, extra: epc.tmobile.com, roaming: false, failover: false, isAvailable: true, NetworkInfo: type: wifi[], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: false, NetworkInfo: type: mobile_mms[UMTS], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: true, NetworkInfo: type: mobile_supl[UMTS], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: true, NetworkInfo: type: mobile_hipri[UMTS], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: true, NetworkInfo: type: mobile_fota[UMTS], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: true, NetworkInfo: type: mobile_ims[UMTS], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: true, NetworkInfo: type: mobile_cbs[UMTS], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: true, NetworkInfo: type: wifi_p2p[], state: UNKNOWN/IDLE, reason: (unspecified), extra: (none), roaming: false, failover: false, isAvailable: false
行为描述: 初始化URL
详情信息:
u'http://42.96.251.144/netway/android/myapp/index.php?act=selfstart_initdata&v=151VmUzRWxqcXYyQjQ5bjh2dW01SSt2TDRERHI2cG1HeUpCYTk3Z1hiZmNtMTI3Y3JPRnd3NkkrUVl4\nQ2VLNEhrdgo=\n'
文件行为
行为描述: 读取文件
详情信息:
path:/system/build.prop length:6
path:/system/build.prop length:5
path:/proc/cpuinfo length:69
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:69
path:/mnt/sdcard/Android/data/com.netway.gamehelper/cache/uil-images/journal length:36
path:/mnt/sdcard/Android/data/com.netway.gamehelper/cache/uil-images/journal length:5
行为描述: 加载链接库文件
详情信息:
/data/data/com.netway.gamehelper/files/libjiagu.so
行为描述: 模拟器驱动文件初始化
详情信息:
/proc/cpuinfo
行为描述: 读取sdcard
详情信息:
path:/mnt/sdcard/Android/data/com.netway.gamehelper/cache/uil-images/journal
行为描述: 缓冲区读取一行数据
详情信息:
Processor : ARMv7 Processor rev 0 (v7l)
ttkp_4:10283
行为描述: 写入文件
详情信息:
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:69
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:66
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:68
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:64
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:62
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:60
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:61
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:67
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:65
path:/data/data/com.netway.gamehelper/files/libjiagu.so length:63
path:/mnt/sdcard/Android/data/com.netway.gamehelper/cache/uil-images/journal.tmp length:36
path:/data/data/com.netway.gamehelper/shared_prefs/umeng_general_config.xml length:261
path:/data/data/com.netway.gamehelper/files/umeng_it.cache length:67
path:/data/data/com.netway.gamehelper/files/.um/um_cache_1439264645708.env length:69
path:/data/data/com.netway.gamehelper/shared_prefs/gamehelper.xml length:105
行为描述: 写入sdcard
详情信息:
path:/mnt/sdcard/Android/data/com.netway.gamehelper/cache/uil-images/journal.tmp
隐私行为
行为描述: 获取当前连接的Wifi热点信息
详情信息:
N/A
行为描述: 获取用户ID
详情信息:
460000043140572
行为描述: 获取设备ID
详情信息:
357143040944263
服务行为
行为描述: 启动服务
详情信息:
{"FLAG":0,"COMPONENT_NAME":"ComponentInfo{com.netway.gamehelper\/com.netway.gamehelper.service.CoreService}"}
行为描述: 获取运行service
详情信息:
u'2147483647'
广播行为
行为描述: 注册广播接收器
详情信息:
u'com.netway.gamehelper.service.CoreService$a@41500bc8', u'android.content.IntentFilter@41502580'
行为描述: 调用Intent的setAction
详情信息:
u'com.datouniao.AdPublisher.service.check'
其他行为
行为描述: 解析通用资源标识符
详情信息:
content://media/internal/images/media
content://media/external/images/media
行为描述: Android运行时错误
详情信息:
E/AndroidRuntime( 1683): FATAL EXCEPTION: Thread-83
E/AndroidRuntime( 1683): java.lang.NullPointerException
E/AndroidRuntime( 1683): at com.netway.gamehelper.l.q.a(SystemMediaStore.java:22)
E/AndroidRuntime( 1683): at com.netway.gamehelper.service.e.run(CutImageService.java:107)
E/AndroidRuntime( 1683): at java.lang.Thread.run(Thread.java:856)
行为描述: 读取系统设置
详情信息:
u'android.app.ContextImpl$ApplicationContentResolver@414cb3b0', u'android_id'
u'android.app.ContextImpl$ApplicationContentResolver@4153ba18', u'font_scale'
u'android.app.ContextImpl$ApplicationContentResolver@414cb3b0', u'sound_effects_enabled'
行为描述: 数据库查询
详情信息:
u'app_info', u'null', u'null', u'null', u'null', u'null', u'null'
u'install_status', u'null', u'status=?', u'[1]', u'null', u'null', u'null'
行为描述: 窗口信息
详情信息:
{"text": "友情提示", "class": "android.widget.TextView"}
{"text": "非常抱歉!检测到当前设备无网络,请检查并连接网络后再打开本应用", "class": "android.widget.TextView"}
{"text": "知道了", "class": "android.widget.Button"}
行为描述: 添加View
详情信息:
u'com.android.internal.policy.impl.PhoneWindow$DecorView@414d52a0', u'WM.LayoutParams{(0,0)(fillxfill) sim=#100 ty=1 fl=#1810100 pfl=0x8 wanim=0x1030001}', u'android.view.CompatibilityInfoHolder@414afa80'
u'com.android.internal.policy.impl.PhoneWindow$DecorView@41dad550', u'WM.LayoutParams{(0,0)(wrapxwrap) gr=#11 sim=#120 ty=2 fl=#1820002 pfl=0x8 fmt=-2 wanim=0x1030002}', u'android.view.CompatibilityInfoHolder@414afa80'
行为描述: 查询App共享数据
详情信息:
u'content://media/external/images/media', u'null', u'null', u'null', u'bucket_display_name'
行为描述: 循环任务
详情信息:
u'2', u'1042814', u'20000', u'PendingIntent{415361d8: android.os.BinderProxy@4155f958}'
行为描述: 初始化Intent
详情信息:
u'com.netway.gamehelper.LoadingActivity@41501600', u'class com.netway.gamehelper.service.CoreService'
u'android.os.Parcel@414ae040'
u'android.os.Parcel@414aee10'
u'android.os.Parcel@414ae000'
u'com.netway.gamehelper.app.SysApplication@414d3b48', u'class com.datouniao.AdPublisher.service.AppReceiver'
u'android.os.Parcel@414aee50'
文件列表
文件名 校验码
META-INF/MANIFEST.MF 0xa54eddcd
META-INF/SHUAZANK.SF 0x4a15fa06
META-INF/SHUAZANK.RSA 0x559e51c7
META-INF/ 0x0
AndroidManifest.xml 0x7d52b42a
assets/ 0x0
assets/com.tencent.open.config.json 0xb3d4a81a
assets/games.txt 0x7d553361
assets/img/ 0x0
assets/img/guide_00.jpg 0x7668f5c5
assets/img/guide_01.jpg 0x1f8ad892
assets/img/guide_02.jpg 0xb5ee1f9b
assets/libjiagu.so 0x2cc8a022
assets/libjiagu_x86.so 0x70e57ad
assets/libwbsafeedit 0xb05a63a9
assets/winads/ 0x0
assets/winads/offers/ 0x0
assets/winads/offers/winad_banner.png 0xb361cebe
assets/winads/offers/winad_exit.png 0x80b12ad4
assets/winads/offers/winad_loading.png 0x7302917e
assets/winads/offers/winad_next.png 0x998423a6
assets/winads/offers/winad_next_off.png 0xc2186c1d
assets/winads/offers/winad_out.png 0xe7b09f4
assets/winads/offers/winad_preview.png 0x47afa47a
assets/winads/offers/winad_preview_off.png 0x80e3db2b
assets/winads/offers/winad_refresh.png 0x4ac9093b
assets/winads/offers/winad_window_background.9.png 0x91bd4cc2
assets/winads/offers/winad_window_btn_close.png 0xc193678e
assets/winads/offers/winad_window_num_bg.png 0x6e92e56a
classes.dex 0xf31fe32
com/ 0x0
com/tencent/ 0x0
com/tencent/mm/ 0x0
com/tencent/mm/sdk/ 0x0
com/tencent/mm/sdk/platformtools/ 0x0
com/tencent/mm/sdk/platformtools/rep5402863540997075488.tmp 0x0
lib/ 0x0
lib/armeabi/ 0x0
lib/armeabi/libjiagu_art.so 0x0
org/ 0x0
org/apache/ 0x0
org/apache/http/ 0x0
org/apache/http/entity/ 0x0
org/apache/http/entity/mime/ 0x0
org/apache/http/entity/mime/version.properties 0x53e10a06
res/ 0x0
res/anim/ 0x0
res/anim/umeng_socialize_fade_in.xml 0xf2e7bdac
res/anim/umeng_socialize_fade_out.xml 0x19682b1d
res/anim/umeng_socialize_shareboard_animation_in.xml 0x5b62eaa8
Activities
活动名 类型
com.netway.gamehelper.LoadingActivity android.intent.action.MAIN
com.netway.gamehelper.LoadingActivity android.intent.category.LAUNCHER
com.tencent.tauth.AuthActivity android.intent.action.VIEW
com.tencent.tauth.AuthActivity android.intent.category.DEFAULT
com.tencent.tauth.AuthActivity android.intent.category.BROWSABLE
启动方式
名称 信息
net.youmi.android.AdReceiver 应用安装时启动服务
com.datouniao.AdPublisher.service.AppReceiver 应用安装时启动服务
com.datouniao.AdPublisher.service.AppReceiver 应用卸载时启动服务
权限列表
许可名称 信息
android.permission.BLUETOOTH_ADMIN 搜寻蓝牙设备
android.permission.BLUETOOTH 连接蓝牙设备
android.permission.WRITE_EXTERNAL_STORAGE 写外部存储器(如:SD卡)
android.permission.READ_EXTERNAL_STORAGE 读外部存储器(如:SD卡)
android.permission.CHANGE_NETWORK_STATE 变更网络状态
android.permission.CHANGE_WIFI_STATE 改变WIFI连接状态
android.permission.ACCESS_NETWORK_STATE 读取网络状态(2G或3G)
android.permission.ACCESS_WIFI_STATE 读取wifi网络状态
android.permission.READ_PHONE_STATE 读取电话状态
android.permission.INTERNET 连接网络(2G或3G)
android.permission.GET_TASKS 获取有关当前或最近运行的任务信息
android.permission.SYSTEM_ALERT_WINDOW 显示系统窗口
android.permission.READ_LOGS 读取系统日志
android.permission.CALL_PHONE 拨打电话
android.permission.ACCESS_FINE_LOCATION 获取精确的位置(通过GPS)
android.permission.ACCESS_COARSE_LOCATION 获取粗略的位置(通过wifi、基站)
android.permission.KILL_BACKGROUND_PROCESSES 关闭后台进程
android.permission.REORDER_TASKS 系统任务排序
android.permission.RECEIVE_BOOT_COMPLETED 接收开机启动广播
服务列表
名称
com.netway.gamehelper.service.DownloadAppService
com.netway.gamehelper.service.ListeningAppRunningService
com.netway.gamehelper.service.CoreService
com.netway.gamehelper.service.CoreService$KernelService
com.netway.gamehelper.service.CutImageService
net.youmi.android.AdService
net.youmi.android.ExpService
com.dlnetwork.DevNativeService
com.bb.dd.BDService
com.dianru.sdk.ProcessService
com.datouniao.AdPublisher.service.AdsService
广告信息
活动名 详情
net.youmi 有米广告
com.winad.android 赢告
漏洞风险列表
风险描述: Activity暴露风险
详情信息: Activity建议设置android:exported="false",或使用"signature"或"signatureOrSystem"级别的自定义权限进行保护,防止攻击者随意调用;必须暴露的组件需要严格校验输入参数。涉及class:com.tencent.tauth.AuthActivity,com.netway.gamehelper.wxapi.WXEntryActivity
风险描述: Service暴露风险
详情信息: Service建议设置android:exported="false",或使用"signature"或"signatureOrSystem"级别的自定义权限进行保护,防止攻击者随意调用;必须暴露的组件需要严格校验输入参数。涉及class:com.netway.gamehelper.service.CoreService,com.netway.gamehelper.service.CoreService$KernelService,com.netway.gamehelper.service.CutImageService
风险描述: BroadcastReceiver暴露风险
详情信息: BroadcastReceiver建议设置android:exported="false",或使用"signature"或"signatureOrSystem"级别的自定义权限进行保护,防止攻击者随意调用;必须暴露的组件需要严格校验输入参数。涉及class:net.youmi.android.AdReceiver,com.datouniao.AdPublisher.service.AppReceiver[/mw_shl_code]
运行截图:
KIS 2016 missed.
Have sent to Kaspersky Lab. |
发表于 2016-1-21 19:36:06
楼主
