Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 12114516412: systemcGx1dG8yNTAwMjY2OTkxODc3NDM=
Загружает на исполнение код следующих детектируемых угроз:
- Android.BackDoor.312
- Android.Backdoor.547.origin
Сетевая активность:
Подключается к:
- m####.####.net
- m####.####.net:5688
- reso####.####.com
- c####.####.net
- apm-col####.####.com
- p####.####.com
- 1####.####.com
- 2####.####.134:8080
- c####.####.com
- 1####.####.219
- w####.####.com
- 1####.####.45:10002
- p####.####.cn
- ne####.####.com
- res####.####.com
- i####.####.cn
- m####.####.cn
Запросы HTTP GET:
- ne####.####.com/appstore/img/52adaa0b266240a7b4a27ff9f34645c8.png
- ne####.####.com/appstore/img/fc84fb7c72b84e39b6e461f85f40567f.png
- ne####.####.com/wp-content/uploads/2016/10/79-300x165.jpg
- ne####.####.com/appstore/img/74aa287eb6e441e795c345a5716cc22f.png
- ne####.####.com/wp-content/uploads/2016/07/zsq81.jpg
- ne####.####.com/wp-content/uploads/2016/08/t1-1-300x143.jpg
- ne####.####.com/appstore/img/4ba8ca2d111349ce89c9355f45c20173.png
- ne####.####.com/appstore/pri/067e6dd210f842cfa57b17477ab3a517.apk
- c####.####.com/20170317/tongyu-pay-lib-2144.apk
- i####.####.cn/iplookup/iplookup.php?format=####
- ne####.####.com/wp-content/uploads/2016/11/z89-300x423.jpg
- ne####.####.com/appstore/img/05ac657d7e5d4aeabef29fb7ba71a548.png
- ne####.####.com/wp-content/uploads/2016/08/zsq1.jpg
- 1####.####.com/ic.asp
- p####.####.com/json2/visitor1.php?pay_Id=####&package=####&appid=####
- ne####.####.com/appstore/img/e780edf9a30742469921af970289f5a6.png
- ne####.####.com/appstore/img/b677ee318a194030b9c71be6e90188d5.png
- p####.####.com/json2/visitor3.php?pay_Id=####&package=####&appid=####&pa...
- ne####.####.com/wp-content/uploads/2016/07/zsq40.jpg
- ne####.####.com/appstore/img/fd9ebf2cfbc4499b9934c2ebef54047b.png
- res####.####.com/v3/ip?output=####&key=####
- ne####.####.com/appstore/img/408f3acccb52453891bc8801773a5739.png
- 1####.####.219/payConfig/sdkPriori.html
- ne####.####.com/wp-content/uploads/2016/07/zsq67.jpg
- ne####.####.com/wp-content/uploads/2016/07/zsq51.jpg
- ne####.####.com/wp-content/uploads/2016/11/t154-300x150.jpg
- m####.####.cn/mtin.db.meng.zip
- w####.####.com/rdo/order?mcpid=####&orderNo=####&feeCode=####&reqTime=##...
- ne####.####.com/wp-content/uploads/2016/10/63-300x165.jpg
- ne####.####.com/wp-content/uploads/2016/11/t153-300x147.jpg
- ne####.####.com/appstore/img/a43addd284844dd784c0ad0125934f68.png
- p####.####.com/handao_img/newsp/shikan_97.jpg
- ne####.####.com/wp-content/uploads/2016/08/t2-1-300x201.jpg
- ne####.####.com/wp-content/uploads/2016/10/t116-300x168.jpg
- p####.####.com/handao_img/newsp/shikan_81.jpg
- ne####.####.com/wp-content/uploads/2016/08/zsq13.jpg
- ne####.####.com/appstore/img/656c8fc67b60429489bce747bb82dcfd.png
- ne####.####.com/appstore/img/f1529b5d9f7f46eda4d75ecfcb614222.png
- p####.####.com/handao_img/newsp/shikan_153.jpg
- p####.####.com/json2/stat.php?pay_Id=####&package=####&appid=####&v=####...
- ne####.####.com/appstore/img/1b3e00ab08a7472fb873e62099d6b9f1.png
- ne####.####.com/appstore/img/56c7074b86ac4901bd2b2d4efc05e336.png
- ne####.####.com/appstore/img/4658f135ff3e4c82a700c4abac8b7076.jpg
- ne####.####.com/wp-content/uploads/2016/10/70-300x167.jpg
- p####.####.com/handao_img/newsp/shikan_101.jpg
- ne####.####.com/appstore/img/a7be2ff79ce14647a5f2c6729be55b57.png
- ne####.####.com/appstore/img/7e72d076c1ec49c19a7cb0a85940f137.png
- reso####.####.com/gslb/gslb/getbucket.asp
- p####.####.com/sdkMis/getRdoUrl
- ne####.####.com/wp-content/uploads/2016/11/z100-2-300x429.jpg
- w####.####.com/rdo/order/invalid;jsessionid=CE574084070350DB6FEC30F6A5A7...
- m####.####.cn/mtin.db.shcut.zip
- ne####.####.com/wp-content/uploads/2016/08/20161008165231-300x197.png
- ne####.####.com/wp-content/uploads/2016/08/zsq18.jpg
- w####.####.com/rdo/order/invalid;jsessionid=24A1722CEFCB69B27F56FDCA8097...
- ne####.####.com/wp-content/uploads/2016/11/t160-300x173.jpg
- ne####.####.com/wp-content/uploads/2016/07/zsq50.jpg
- ne####.####.com/wp-content/uploads/2016/07/zsq16-1.jpg
- ne####.####.com/wp-content/uploads/2016/11/z101-300x424.jpg
Запросы HTTP POST:
- p####.####.com/sdkMis/sdk-update
- 1####.####.45:10002/admgr/admgrsurvey.do
- p####.####.com/sdkMis/mobile-submit
- p####.####.cn/index.php/API
- m####.####.net:5688/
- apm-col####.####.com/cpi/crash
- 2####.####.134:8080/mtin/home
- p####.####.com/sdkMis/mobile-status-quo
- p####.####.com/sdkMis/init-submit
- m####.####.net/
- c####.####.net/cat.php/Cat/SCR?ver=####&tp=####
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/databases/MF_SQdb-journal
- /data/data/####/cache/picasso-cache/1dc34afd013a7a8400430b5dbffd68e3.0.tmp
- /data/data/####/shared_prefs/cpMsg.xml
- /sdcard/.4d02db8e14/.fsks
- /data/data/####/shared_prefs/initdata.xml
- /data/data/####/cache/picasso-cache/0c696ddf1df49b885b42535767d97338.1.tmp
- /data/data/####/shared_prefs/port.xml.bak
- /data/data/####/files/mobclick_agent_cached_####1000
- /data/data/####/cache/picasso-cache/ea2157a96806a15a984f3c720837d69a.0.tmp
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/cache/picasso-cache/e1e8723efe55a122327f82004d5f3ea5.0.tmp
- /sdcard/.4d02db8e14/float/4ba8ca2d111349ce89c9355f45c20173
- /data/data/####/cache/picasso-cache/ea2157a96806a15a984f3c720837d69a.1.tmp
- /data/data/####/databases/MF_STATS-journal
- /data/data/####/cache/picasso-cache/2863af5477fb7146b3bacc090a34df87.0.tmp
- /data/data/####/cache/picasso-cache/1a3e160c40b212065089e659771e0e7a.1.tmp
- /data/data/####/cache/picasso-cache/4281f2b0a1517ce475df8b209af3a5a1.0.tmp
- /data/data/####/cache/picasso-cache/c38118a840ac062ed871afdb2cee5fab.0.tmp
- /data/data/####/shared_prefs/config.xml
- /data/data/####/shared_prefs/indion.xml.bak
- /data/data/####/cache/picasso-cache/a0c3637f5ec9934787beef80ce6bf43b.1.tmp
- /data/data/####/cache/picasso-cache/journal.tmp
- /data/data/####/shared_prefs/indion.xml
- /data/data/####/databases/mp.db
- /data/data/####/files/mtin.db.shcut.zip
- /data/data/####/cache/picasso-cache/2f426f3a7413da3e0cc2cb4ff5c43a13.1.tmp
- /data/data/####/cache/picasso-cache/2d101af19789c6194b7c2a75808892d3.0.tmp
- /data/data/####/cache/picasso-cache/25a885db41b186bfcf798a010a351179.1.tmp
- /sdcard/.4d02db8e14/float/e780edf9a30742469921af970289f5a6
- /data/data/####/cache/picasso-cache/b7456d36b3f251d2272ed69a4d48e62e.1.tmp
- /data/data/####/shared_prefs/config.xml.bak
- /data/data/####/shared_prefs/TestinCrash.xml
- /data/data/####/cache/picasso-cache/c38118a840ac062ed871afdb2cee5fab.1.tmp
- /sdcard/.4d02db8e14/float/fc84fb7c72b84e39b6e461f85f40567f
- /sdcard/.4d02db8e14/float/1b3e00ab08a7472fb873e62099d6b9f1.dt
- /sdcard/.4d02db8e14/float/74aa287eb6e441e795c345a5716cc22f.dt
- /data/data/####/cache/picasso-cache/42db22d5dd0df2ce1605de32830d4f26.1.tmp
- /data/data/####/cache/picasso-cache/d23ab1978726697ab0c83b700426d5e7.0.tmp
- /data/data/####/cache/picasso-cache/b8f99aaaf5b130c23cf4258a85abce53.0.tmp
- /data/data/####/cache/picasso-cache/86859db7ad424cc3931b7d2e363920c4.1.tmp
- /sdcard/.4d02db8e14/float/fc84fb7c72b84e39b6e461f85f40567f.dt
- /data/data/####/cache/picasso-cache/25a885db41b186bfcf798a010a351179.0.tmp
- /data/data/####/cache/picasso-cache/4281f2b0a1517ce475df8b209af3a5a1.1.tmp
- /data/data/####/cache/picasso-cache/4f732b7171cd7b8a441504a2ab8bb543.0.tmp
- /sdcard/.4d02db8e14/dd/ad/f1529b5d9f7f46eda4d75ecfcb614222
- /data/data/####/databases/TestinAgent.db
- /sdcard/.4d02db8e14/float/52adaa0b266240a7b4a27ff9f34645c8
- /data/data/####/cache/picasso-cache/2d101af19789c6194b7c2a75808892d3.1.tmp
- /sdcard/.4d02db8e14/float/74aa287eb6e441e795c345a5716cc22f
- /data/data/####/databases/MF_CFG-journal
- /data/data/####/databases/sms_db
- /data/data/####/cache/picasso-cache/90ef6fd550447261a00965815f5024a6.0.tmp
- /data/data/####/cache/picasso-cache/b0129fe7b1f271d878b23f16e4932b3f.0.tmp
- /data/data/####/files/mtin.db.meng2.zip
- /data/data/####/cache/picasso-cache/e1e8723efe55a122327f82004d5f3ea5.1.tmp
- /data/data/####/cache/picasso-cache/d23ab1978726697ab0c83b700426d5e7.1.tmp
- /data/data/####/cache/picasso-cache/2863af5477fb7146b3bacc090a34df87.1.tmp
- /data/data/####/databases/mp.db-journal
- /data/data/####/cache/picasso-cache/a0c3637f5ec9934787beef80ce6bf43b.0.tmp
- /sdcard/.4d02db8e14/float/a43addd284844dd784c0ad0125934f68.dt
- /sdcard/.4d02db8e14/float/4ba8ca2d111349ce89c9355f45c20173.dt
- /sdcard/.4d02db8e14/float/a43addd284844dd784c0ad0125934f68
- /sdcard/.4d02db8e14/info/a7be2ff79ce14647a5f2c6729be55b57
- /data/data/####/cache/picasso-cache/b8f99aaaf5b130c23cf4258a85abce53.1.tmp
- /sdcard/.acterr
- /sdcard/.4d02db8e14/float/e780edf9a30742469921af970289f5a6.dt
- /sdcard/.4d02db8e14/com.pico.app/abc/com.pico.app_r1.tmp
- /sdcard/.4d02db8e14/float/a7be2ff79ce14647a5f2c6729be55b57
- /sdcard/.4d02db8e14/float/7e72d076c1ec49c19a7cb0a85940f137.dt
- /data/data/####/shared_prefs/TestinCrash.xml.bak
- /data/data/####/cache/picasso-cache/c497ece28f458aa2df9916e07851e569.0.tmp
- /data/data/####/cache/picasso-cache/e7d893b2873e3cc4dc3011d26d31c937.1.tmp
- /data/data/####/cache/picasso-cache/42db22d5dd0df2ce1605de32830d4f26.0.tmp
- /data/data/####/cache/picasso-cache/e29b9819446a69a6ab2907c88c90e546.0.tmp
- /data/data/####/cache/picasso-cache/90ef6fd550447261a00965815f5024a6.1.tmp
- /data/data/####/databases/cc/cc.db-journal
- /data/data/####/shared_prefs/port.xml
- /data/data/####/databases/TestinAgent.db-journal
- /data/data/####/cache/picasso-cache/86859db7ad424cc3931b7d2e363920c4.0.tmp
- /data/data/####/shared_prefs/initdata.xml.bak
- /sdcard/.4d02db8e14/float/fd9ebf2cfbc4499b9934c2ebef54047b.dt
- /data/data/####/cache/picasso-cache/e7d893b2873e3cc4dc3011d26d31c937.0.tmp
- /data/data/####/cache/picasso-cache/609119c8b419b409fd5cb80260b9a8ea.1.tmp
- /sdcard/.4d02db8e14/float/1b3e00ab08a7472fb873e62099d6b9f1
- /data/data/####/files/8f622d70bb9/154369b7-3115-450d-b06b-dd15a6b4098f.zip
- /data/data/####/cache/picasso-cache/4f732b7171cd7b8a441504a2ab8bb543.1.tmp
- /data/data/####/files/part
- /sdcard/.4d02db8e14/float/408f3acccb52453891bc8801773a5739.dt
- /data/data/####/databases/MF_ENH-journal
- /sdcard/.4d02db8e14/dd/ad/b677ee318a194030b9c71be6e90188d5
- /data/data/####/files/myfvu.jar
- /sdcard/.4d02db8e14/.init
- /sdcard/.4d02db8e14/float/408f3acccb52453891bc8801773a5739
- /sdcard/.4d02db8e14/float/52adaa0b266240a7b4a27ff9f34645c8.dt
- /data/data/####/shared_prefs/getFlag.xml
- /data/data/####/files/look
- /data/data/####/shared_prefs/device_id.xml.xml
- /sdcard/.4d02db8e14/ficon/56c7074b86ac4901bd2b2d4efc05e336
- /data/data/####/shared_prefs/gud.xml
- /data/data/####/cache/picasso-cache/e29b9819446a69a6ab2907c88c90e546.1.tmp
- /data/data/####/files/mj.apk
- /data/data/####/cache/picasso-cache/b0129fe7b1f271d878b23f16e4932b3f.1.tmp
- /data/data/####/databases/cc/cc.db
- /sdcard/.4d02db8e14/float/7e72d076c1ec49c19a7cb0a85940f137
- /data/data/####/cache/picasso-cache/302d6e74134b1da6a0e99bf60a310163.1.tmp
- /data/data/####/cache/picasso-cache/b7456d36b3f251d2272ed69a4d48e62e.0.tmp
- /data/data/####/cache/picasso-cache/1dc34afd013a7a8400430b5dbffd68e3.1.tmp
- /sdcard/.4d02db8e14/dd/ad/4658f135ff3e4c82a700c4abac8b7076
- /data/data/####/cache/picasso-cache/1a3e160c40b212065089e659771e0e7a.0.tmp
- /data/data/####/cache/picasso-cache/2c97464c5ffac6f19ebf3f273f6ef011.1.tmp
- /sdcard/.4d02db8e14/dd/ad/a7be2ff79ce14647a5f2c6729be55b57
- /data/data/####/cache/picasso-cache/0c696ddf1df49b885b42535767d97338.0.tmp
- /sdcard/.4d02db8e14/dd/ad/05ac657d7e5d4aeabef29fb7ba71a548
- /data/data/####/app_tongyu/plugins/download/tongyu-pay-lib.apk
- /sdcard/.4d02db8e14/dd/ad/656c8fc67b60429489bce747bb82dcfd
- /data/data/####/cache/picasso-cache/2f426f3a7413da3e0cc2cb4ff5c43a13.0.tmp
- /data/data/####/cache/picasso-cache/609119c8b419b409fd5cb80260b9a8ea.0.tmp
- /data/data/####/databases/sms_db-journal
- /data/data/####/app_tongyu/plugins/tongyu-pay-lib.apk
- /sdcard/.4d02db8e14/ficon/56c7074b86ac4901bd2b2d4efc05e336.dt
- /data/data/####/cache/picasso-cache/302d6e74134b1da6a0e99bf60a310163.0.tmp
- /sdcard/.4d02db8e14/float/a7be2ff79ce14647a5f2c6729be55b57.dt
- /data/data/####/cache/picasso-cache/2c97464c5ffac6f19ebf3f273f6ef011.0.tmp
- /data/data/####/cache/picasso-cache/c497ece28f458aa2df9916e07851e569.1.tmp
Присваивает атрибут 'исполняемый' для следующих файлов:
- /data/data/####/files/look
Другие:
Запускает следующие shell-скрипты:
- sh
- cat /sys/class/net/wlan0/address
Может автоматически отправлять СМС-сообщения.
