HKTL_JUMAO

Once running, it listens to port 8585 to perform certain commands coming from a remote user. It also connects to the SQL server {BLOCKED}.{BLOCKED}.80.34 using particular credentials.

This hacking tool may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This hacking tool may be unknowingly downloaded by a user while visiting malicious websites.

NOTES:

Once running, it listens to port 8585 for the following commands coming from a remote user:

• _CON - sends control message to an IP (RF port) specified in the command
• _CTN - cotton control
• _CTNLIST - cotton state scan, list cotton from database
• _DOOR - door control
• _DOORLIST - door state scan, list doors from database
• _IP - similar to _CON
• _LOG - (Login) sends a list of server IP, video port, pan tilt port and RF port coming from a database
• _MAG - magnetic state scan, list magnetic sensor names from database
• _MOB - get list of phones
• _MOD - get current mode
• _MON - loads the following executable files then return the current port:
  • c:\Umao_Server\Launcher.exe
  • c:\Umao_Server\SaverTest.exe
• _MOVE - move sensor state scan, list move sensor names from database
• _NAM - update device name in database
• _PON - register phone
• _POS - get sales information of a phone number by connecting to the following URL:
  • http://www.{BLOCKED}s.co.kr/ANYPOS/DYENC.jsp?MOBILE={phone number}
• _REG - register device
• _RFINIT - initialize RF
• _SEN - monitor sensor events and list sensor/door name and time of activity, send the information to phone numbers obtained from the database using ./x_test.exe
• _SUBINIT - initialize remote controller