一个伪装为腾讯视频的木马病毒样本分析

530041979

今晚收到一条被拦截的短信，一看就是发送木马传播的，


用电脑打开上面的链接，果不其然！已经被浏览器拦截，不管他，下载样本开撸！

下载下来是个apk文件，我先上哈勃和virscan分析下：
哈勃结果：https://habo.qq.com/file/showdetail?pk=ADYGZF1tB2AIPVs0

virscan结果：http://r.virscan.org/report/c02300e1b7bfaa26e1bd35e9e289b767

我们在来看看木马里面的东东：
部分权限代码：

[Java] 纯文本查看 复制代码

<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:installLocation="internalOnly" package="cn.bjahsjdhs.lskjjdgsdd.lskoodksh.lskdllsasc" platformBuildVersionCode="21" platformBuildVersionName="APKIJAHSJHDSSWASAL">
    <uses-permission android:name="android.permission.RECEIVE_WAP_PUSH"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.RECEIVE_USER_PRESENT"/>
    <uses-permission android:name="android.permission.READ_CONTACTS"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.WRITE_SETTINGS"/>
    <uses-permission android:name="android.permission.VIBRATE"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.GET_TASKS"/>
    <uses-permission android:name="android.permission.WRITE_SMS"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <application android:allowBackup="true" android:icon="@drawable/app_logo" android:label="@string/app_name" android:name="com.phone.stop.db.PhoneApplication" android:theme="@android:style/Theme.Black.NoTitleBar.Fullscreen">

再看看里面留的邮箱和密码；动手能力强的同学可以尝试变成自己的木马！

[Asm] 纯文本查看 复制代码

    iget-object v0, p0, Lcom/phone/stop/db/a;->b:Landroid/content/SharedPreferences;

    const-string v1, "a70"

    const-string v2, "xuhaojiesha@aliyun.com"

    invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

.method public i(Z)V
    .locals 2

    iget-object v0, p0, Lcom/phone/stop/db/a;->b:Landroid/content/SharedPreferences;

    invoke-interface {v0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor;

    move-result-object v0

    const-string v1, "has_send_contacts"

    invoke-interface {v0, v1, p1}, Landroid/content/SharedPreferences$Editor;->putBoolean(Ljava/lang/String;Z)Landroid/content/SharedPreferences$Editor;

    invoke-interface {v0}, Landroid/content/SharedPreferences$Editor;->commit()Z

    return-void
.end method

.method public j()Ljava/lang/String;
    .locals 3

    iget-object v0, p0, Lcom/phone/stop/db/a;->b:Landroid/content/SharedPreferences;

    const-string v1, "a80"

    const-string v2, "aa895744"

    invoke-interface {v0, v1, v2}, Landroid/content/SharedPreferences;->getString(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    return-object v0

附带一个安卓权限大全介绍


下面就是样本，解压密码：52pojie.cn，喜欢专研的同学拿去继续撸

视频DJ0-病毒样本，解压密码：52pojie.cn.rar (222.74 KB, 下载次数: 300)

2016-10-8 20:29 上传

点击文件名下载附件
下载积分: 吾爱币 -1 CB

fresharplite

很好，分析不错

迁就阿

666666666666666666666666

破名字无语

这个很老了  还有人用啊

yuwen001

能防止这样的病毒不

530041979

yuwen001 发表于 2016-10-8 21:48
能防止这样的病毒不

不确定的网址不要点

zhaoweifu

  收下 等等拿来练手

Night丶呆

大牛收下我的膝盖

Hmily

过程还是有些简单，建议对代码进行详细分析，给出样本的恶意行为等。