Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.269.origin
Сетевая активность:
Подключается к:
- daily####.####.com
- wsod####.com
- secur####.####.com
- sogot####.com
- w####.####.com:9001
- i####.####.com
- d####.####.cn
- s####.com
- google-####.com
- 1####.####.42:8008
- adc####.####.net
- w####.####.com
- a####.####.com
- y####.com
- googlet####.com
- pu####.####.net
- i####.####.cn
- u####.####.com
- be####.####.cn
Запросы HTTP GET:
- a####.####.com/resources/scripts/jquery-1.4.4.js
- secur####.####.com/v60.js
- i####.####.com/gb/ads/home/120_60/idx/2013/0612/U78P5010T4D32F32DT20130612030745.gif
- a####.####.com/embed/d2b88a582927eb1634402fb636420ccb/223.0.js.120x60/1489879703**;0,0,0;800x600x0.8100000023841858;http%3A_@2F_@2Fwww.sina.com_@2F_@3...
- daily####.####.com/gb/ads/www/120_60/3.js
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/images/AP_120x60_ScRQ_marquee_overlay_right.png
- i####.####.com/gb/ads/www/120_60/U78P5010T8D5F69DT20121025020307.jpg
- sogot####.com/zh-tw/landing/SogolandCPb.aspx?subid=####
- i####.####.cn/iplookup/iplookup.php?format=####
- s####.com/?/wm=####
- i####.####.com/gb/ads/www/120_60/U126P5010T8D4F69DT20140108081838.gif
- daily####.####.com/gb/ads/www/120_60/2.js
- daily####.####.com/gb/ads/www/120_60/7.js
- u####.####.com/pub/www/0908/Navi.gif
- d####.####.cn/shh/ws/2012/xb/gladnews_run.js
- adc####.####.net/pcs/click?xai=####&sig=####&adurl=####
- a####.####.com/view/d2b88a582927eb1634402fb636420ccb/223.398.2.120x60.1489879703.B721058cdc297c9789.6160.__624.0.vs-false/1485418644627.7793**;;
- i####.####.com/gb/ads/www/120_60/U126P5010T8D8F69DT20161004085049.jpg
- a####.####.com/rm/madview-b96839.js
- a####.####.com/embed/d2b88a582927eb1634402fb636420ccb/223.0.js.120x60/[::DOLLAR::]%7BCACHEBUSTER%7D?click=####
- daily####.####.com/gb/ads/www/120_60/8.js
- i####.####.com/gb/ads/home/120_60/idx/2016/0601/U126P5010T4D55F32DT20160601020742.gif
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/images/AP_120x60_ScRQ_marquee_overlay_left.png
- i####.####.com/gb/ads/www/120_60/U126P5010T8D7F69DT20170119073837.gif
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/css/AP_120x60_scRQ_style.css
- u####.####.com/assets/img/www/worldmap.jpg
- daily####.####.com/gb/ads/www/120_60/10.js
- pu####.####.net/gampad/clk?id=####&iu=####
- i####.####.com/gb/ads/www/120_60/U126P5010T8D11F69DT20170112040100.gif
- daily####.####.com/gb/ads/www/120_60/11.js
- secur####.####.com/storageframe.html
- i####.####.com/gb/ads/home/120_60/idx/2014/0710/U126P5010T4D12F32DT20140710020035.gif
- daily####.####.com/gb/ads/www/120_60/4.js
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/images/AP_120x60_ScRQ_purple_bkgd.png
- s####.com/favicon.ico
- be####.####.cn/a.gif?V=####&CI=####&PI=####&UI=####&EX=####&gUid_14####
- google-####.com/r/collect?v=####&_v=####&a=####&t=####&_s=####&dl=####&ul=####&de=####&dt=####&sd=####&sr=####&vp=####&je=####&_u=####&jid=####&gjid=#...
- googlet####.com/tag/js/gpt.js
- secur####.####.com/cgi-bin/m?rnd=####&ci=####&js=####&cg=####&ts=####&vn=####&cc=####&cd=####&ck=####&je=####&lg=####&si=####&sr=####&id=####
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/images/AP_120x60_ScRQ_time_icon.png
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/js/animation_script.js
- u####.####.com/assets/img/www/sina_id_www.gif
- i####.####.com/gb/ads/www/120_60/U126P5010T8D6F69DT20170317015228.gif
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/AP_120x60_scRQ_purple_CN.asp?click=/####&symbol=####&issue_type=####&name=####&wsodissue=####&pl...
- wsod####.com/creatives/8bec9b10/ads_AP/120x60_scRQ_HD/images/AP_120x60_ScRQ_arrows.png
- u####.####.com/assets/js/swfobject.js
- daily####.####.com/gb/ads/www/120_60/9.js
- google-####.com/analytics.js
- daily####.####.com/gb/ads/www/120_60/5.js
- secur####.####.com/cgi-bin/m?rnd=####&ci=####&js=####&cg=####&ts=####&vn=####&cc=####&cd=####&ck=####&je=####&lg=####&si=####&sr=####&id=####&ja=####
- daily####.####.com/gb/ads/common/floatingvideo.js
- u####.####.com/assets/img/www/bg_gradient.gif
- daily####.####.com/gb/ads/www/120_60/6.js
Запросы HTTP POST:
- w####.####.com/api/getCfg.jsp
- w####.####.com/api/uploadInstallApps.jsp
- w####.####.com/api/getInAppFull.jsp
- a####.####.com/V2/GetAD
- w####.####.com/api/getAlist.jsp
- w####.####.com/api/getLauncher.jsp
- y####.com/cu.ashx
- w####.####.com/api/getSI.jsp
- w####.####.com/api/getFallDown.jsp
- w####.####.com/api/getFloat.jsp
- w####.####.com/api/getStartPop.jsp
- w####.####.com:9001/api/getAreaId.jsp
- a####.####.com/V2/ReportAction
- 1####.####.42:8008/DispatchServer/Rcc
- w####.####.com/api/uploadSaleInfo.jsp
- w####.####.com/api/getInAppNonFull.jsp
- w####.####.com/api/getInAppFloat.jsp
- w####.####.com/api/getSlidingScreen.jsp
- w####.####.com/api/getStartNonFull.jsp
- w####.####.com/api/getStartDialog.jsp
- w####.####.com/api/getStartFull.jsp
- w####.####.com/api/getDtk.jsp
- w####.####.com/api/getSht.jsp
- w####.####.com/api/getNotification.jsp
- w####.####.com/api/getExit.jsp
- w####.####.com/api/getStartWin.jsp
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/shared_prefs/SDK.xml
- /data/data/####/shared_prefs/localtime.xml
- /sdcard/Android/data/system/cache/.hb/sihm_l_hb_t
- /data/data/####/files/1485418619399.jar
- /sdcard/Download/browser.ini
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/app_databases/localstorage/http_secure-us.imrworldwide.com_0.localstorage-journal
- /data/data/####/files/searchengines/yicha.png
- /data/data/####/files/quickbookmarks/taobao.com.png
- /data/data/####/files/80.tmp
- /sdcard/Android/data/system/cache/.hb/insifhbm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/insiohbm_l_hb_t
- /data/data/####/shared_prefs/BrowserSettings.xml.bak
- /data/data/####/cache/webviewCacheChromium/data_3
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/shared_prefs/areaInfo.xml
- /sdcard/Android/data/system/cache/.hb/ntbhbm_l_hb_t
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/databases/toolkit.db-journal
- /data/data/####/files/mobclick_agent_cached_####
- /data/data/####/files/1485418619304
- /sdcard/Android/data/system/cache/.hb/exthbm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/lauhbm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/IUhbm_l_hb_t
- /data/data/####/files/quickbookmarks/163.com.png
- /data/data/####/shared_prefs/mobclick_agent_state_####.xml
- /sdcard/Android/data/system/cache/.hb/DtkAdbm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/cfghbm_l_hb_t
- /data/data/####/biz_close.jar
- /data/data/####/databases/checkurl-journal
- /data/data/####/files/searchengines/yisou.png
- /data/data/####/files/quickbookmarks/sina.com.cn.png
- /sdcard/Android/data/system/cache/.hb/sdhbm_l_hb_t
- /data/data/####/shared_prefs/localtime.xml.bak
- /data/data/####/app_appcache/ApplicationCache.db-journal
- /data/data/####/shared_prefs/device.xml
- /data/data/####/files/quickbookmarks/youku.com.png
- /data/data/####/shared_prefs/mobclick_agent_header_####.xml
- /sdcard/Android/data/system/cache/.hb/sdhm_l_hb_t
- /data/data/####/shared_prefs/online.xml
- /data/data/####/databases/baidu_cnb-journal
- /data/data/####/files/searchengines/taobao.png
- /sdcard/Android/data/system/cache/.hb/sfhm_l_hb_t
- /data/data/####/databases/webview.db-journal
- /data/data/####/databases/downloads.db-journal
- /data/data/####/app_icons/WebpageIcons.db-journal
- /sdcard/llc/log/20170126AdRequest
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/shared_prefs/pp.xml.bak
- /data/data/####/cache/webviewCacheChromium/f_000003
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/cache/webviewCacheChromium/f_000005
- /data/data/####/cache/webviewCacheChromium/f_000004
- /data/data/####/shared_prefs/pp.xml
- /data/data/####/app_databases/localstorage/http_www.sina.com_0.localstorage-journal
- /sdcard/Android/data/system/cache/.hb/falhbm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/fhbm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/swhm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/insiwfhbm_l_hb_t
- /data/data/####/shared_prefs/globalParamFile.xml
- /sdcard/device
- /data/data/####/databases/webviewCookiesChromiumPrivate.db-journal
- /sdcard/Android/data/system/cache/.hb/snfhm_l_hb_t
- /sdcard/Android/data/system/cache/.hb/sihbm_l_hb_t
- /data/data/####/shared_prefs/mobclick_agent_online_setting_####.xml
- /data/data/####/files/quickbookmarks/vancl.png
- /data/data/####/shared_prefs/BrowserSettings.xml
- /data/data/####/files/searchengines/engines_1.xml
- /data/data/####/databases/browser.db-journal
- /data/data/####/files/searchengines/google.png
- /data/data/####/cache/webviewCacheChromium/index
- /data/data/####/files/searchengines/baidu.png
Другие:
Запускает следующие shell-скрипты:
- logcat -d -v raw -s AndroidRuntime:E -p ####
- logcat -c
Может автоматически отправлять СМС-сообщения.
