Sunday, March 6, 2011

mmspicture.ru - mobile malware depot

Following a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL:

http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB)

The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file:

http://mmspicture.ru/mms113/mms113.jar

The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this JAR file is not still known around. Anyway, what follows is just a quick analysis of the contents of this file. Open it with Java Decompiler appears like a canonical small JAR apps for mobiles devices (Midlet class):


The main class is named "b" and is extended from Canvas Java class:


As shown above is possible view some Cyrillic strings:


Is also show a reference to a stream (embedded in the JAR) named "info.dat". The code above use this file for decode the stream that as we'll see is the destination phone number of the data gathered from mobile devices. The "info.dat" contains the following string:  75;4x=1?==8:<95

I write a small Java app that use the code for decoding the stream:


The output revealed is the following:

The string obtained is the phone destination number used for receive SMS from the user mobile devices. The content of the SMS body is still under investigation. Probably it send entire phonebook as well the phone number could be a payment number. The SMS is send when the user accept to view the picture in the postcard ("card.png") embedded in the JAR. There is also a file named "readme" which contains an ICQ id:


In according with the countrycode.org web site (http://countrycode.org/russia) the number "+7 497 878542104" is a Russian phone number. Another detail is that the domain mmspicture.ru is attested on one IP (91.201.66.209) where is attested another interesting domain:

No comments:

Post a Comment