Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.SmsSend.1859.origin
- Android.Xiny.184.origin
- Android.MulDrop.84.origin
- Android.Backdoor.336.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Backdoor.336.origin
Скрывает свою иконку с экрана устройства.
Сетевая активность:
Подключается к:
- trac####.####.com
- clinkad####.com
- set####.####.com
- buzzade####.com
- 6####.####.co
- r####.####.com
- pulsead####.com
- toponc####.com
- s####.####.com
- theway####.club
- b####.com
- ip####.io
- y####.####.gdn
- f####.####.com
- pa####.####.sg
- m####.####.com
- pag####.####.com
- mycampt####.com
- pa####.####.sg:8897
- cdn####.####.com
- a####.####.com
- t####.####.com
- g####.####.com
- c####.####.com
- d####.####.com
- e####.####.com
- n####.####.com
Запросы HTTP GET:
- pulsead####.com/a/display.php?r=####
- a####.####.com/request/?z=####&cid=####&subid=####
- d####.####.com/thinking/group/rtt0421_662.apk
- 6####.####.co/mobile/Speedtest_files/speedtest.js
- f####.####.com/s/opensans/v13/cJZKeOuBrn4kERxqtaUH3SZ2oysoEQEeKwjgmXLRnT...
- 6####.####.co/track_common.js?t=####
- c####.####.com/index.php?service=####&pub=####&offer_id=####&uc_trans_1=...
- toponc####.com/a/display.php?r=####
- c####.####.com/jquery-1.11.1.min.js
- a####.####.com/pull/top_offer?gaid=####&id=####
- pag####.####.com/pagead/osd.js
- 6####.####.co/mobile/media/style.css
- b####.com/rms/BingCore.Bundle/cj,nj/4ec5679f/05acd042.js?bu=####
- toponc####.com/a/display.php?r=####&treqn=####&runauction=####&crr=####&...
- b####.com/rms/rms%20answers%20Shared%20BingCore$Animation/cj,nj/c9ce19fd...
- cdn####.####.com/cdn-adn/offersync/17/03/13/17/35/58c667cfc7ebc.png
- g####.####.com/r2.php?c=####&p=####&u=aHR0c####
- r####.####.com/Nkgb9Tx83Wze9yqS?ClickId=####&t=####&utm_campaign=####&ut...
- s####.####.com/app/umeng?pid=####&dp=####&af=####&sk=####&cn=####&cv=####
- ip####.io/json
- clinkad####.com/tracking?camp=####&pubid=####&sid=####
- pulsead####.com/a/display.php?stamat=####
- e####.####.com/thinking/group/exp
- buzzade####.com/a/display.php?r=####
- b####.com/rms/Framework/cj,nj/f0fe13d0/9101d3f2.js?bu=####
- a####.####.com/request/?z=####&if=####&uh=####&ab=####&w=####&h=####&sub...
- theway####.club/afa98b0a-a104-416c-9f1d-ce11ef427508/assets/Windows%20Ex...
- b####.com/rms/MobileSiteBase/cc,nc/8d0342e9/e3492d89.css?bu=####
- b####.com/?r=####
- y####.####.gdn/?v=####&KW=####&s1=####
- buzzade####.com/a/display.php?r=####&treqn=####&runauction=####&crr=####...
- clinkad####.com/tracking?camp=####&pubid=####&sid=####&sid1=####&subpubi...
- d####.####.com/click?k=####&p=####&q=####¬ice=####
- set####.####.com/appwall/setting?app_id=####&sign=####&platform=####&os_...
- pulsead####.com/a/display.php?r=####&excluded_countries=####
- f####.####.com/css?family=####
- buzzade####.com/a/display.php?stamat=####
- theway####.club/afa98b0a-a104-416c-9f1d-ce11ef427508/index.html?tracker=...
- trac####.####.com/click?mb_pl=####&mb_nt=####&mb_campid=####&aff_sub=###...
- mycampt####.com/path/lp.php?trvid=####&trvx=####&extid=####&zoneid=####&...
- cdn####.####.com/cdn-adn/dmp/17/03/30/22/04/58dd105c42b05.JPEG
- pulsead####.com/a/display.php?r=####&excluded_countries=####&treqn=####&...
- n####.####.com/openapi/ad/v3?app_id=####&unit_id=####&req_type=####&only...
- set####.####.com/setting?unit_ids=####&app_id=####&sign=####&platform=##...
- set####.####.com/setting?app_id=####&sign=####&platform=####&os_version=...
- t####.####.com/safeframe/1-0-8/html/container.html
- b####.com/notifications/render?bnptrigger=####&IG=####&IID=####
- d####.####.com/impression?k=####&p=####&q=####&x=####
- b####.com/rms/rms%20answers%20Shared%20BingCore$fadeAnimation/cj,nj/8c49...
- f####.####.com/s/opensans/v13/EInbV5DfGHOiMmvb1Xr-hpS3E-kSBmtLoNJPDtbj2P...
- 6####.####.co/?utm_campaign=####&utm_medium=####&utm_source=####&c=####&...
- d####.####.com/onlyImpression?k=####&p=####
- n####.####.com/openapi/ad/v3?app_id=####&unit_id=####&category=####&req_...
- b####.com/rms/AutoSug/cj,nj/5d4a1743/724a3e06.js?bu=####
- pulsead####.com/a/display.php?r=####&treqn=####&runauction=####&crr=####...
- f####.####.com/s/opensans/v13/MTP_ySUJH_bn48VBG8sNSpS3E-kSBmtLoNJPDtbj2P...
- f####.####.com/s/opensans/v13/k3k702ZOKiLJc3WVjuplzJS3E-kSBmtLoNJPDtbj2P...
Запросы HTTP POST:
- a####.####.com/app_logs
- a####.####.com/oversea_adjust_and_download_write_redis/notify/download/app
- a####.####.com/subscribe/api/1110
- b####.com/fd/ls/lsp.aspx
- pa####.####.sg:8897/hwSdk/wf/getCtl.json
- g####.####.com/pilot/api/300102
- t####.####.com/ggview/rsddateindex
- b####.com/fd/ls/lsp.aspx?
- m####.####.com/errorview/api/601
- pa####.####.sg/hwSdk/sms/getSms.json
- m####.####.com/smartview/api/920
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/files/.snow/.dico.apk
- /data/data/####/files/.snow/.dg
- /data/data/####/files/.snow/.zip/r3
- /data/data/####/cache/webviewCacheChromium/f_00000a
- /data/data/####/cache/webviewCacheChromium/f_00000c
- /data/data/####/cache/webviewCacheChromium/f_00000b
- /data/data/####/shared_prefs/####_preferences.xml
- /data/data/####/files/.snow/.zip/r4
- /data/data/####/files/.snow/.dlsb.apk
- /data/data/####/cache/webviewCacheChromium/f_000009
- /data/data/####/files/.snow/.zip/r1
- /data/data/####/files/.snow/.service
- /data/data/####/databases/bat_statistics.db-journal
- /data/data/####/files/.snow/busybox
- /data/data/####/cache/webviewCacheChromium/data_3
- /data/data/####/files/.snow/supolicy
- /data/data/####/files/.snow/b.png
- /data/data/####/files/.default/95d3861ebbd38c2dc8795952cc6c4d37.data.temp
- /sdcard/.windy/508e8558f784e3a21d3368e4763e2693.dat
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/files/hello/hello.dex
- /data/data/####/files/source.apk
- /data/data/####/files/.snow/.zip/r2
- /data/data/####/files/.snow/myshell
- /data/data/####/files/.snow/.ir
- /data/data/####/cache/picasso-cache/journal
- /data/data/####/cache/picasso-cache/b8407234b8537a063a13f6ae52948257.0.tmp
- /data/data/####/databases/fmoonStore.db
- /data/data/####/files/.snow/checkFile0
- /sdcard/.mobvista700/download/-2037991731
- /data/data/####/shared_prefs/mobclick_agent_state_####.xml
- /data/data/####/cache/picasso-cache/b8407234b8537a063a13f6ae52948257.1.tmp
- /sdcard/.mobvista700/download/1510565344.temp
- /data/data/####/shared_prefs/time_p.xml
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/files/.work/postroot.sh
- /data/data/####/databases/mobvista.msdk.db-journal
- /data/data/####/files/.snow/.zip/rt8
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/shared_prefs/mobvista.xml
- /data/data/####/files/.snow/checkFile13
- /data/data/####/databases/webview.db-journal
- /data/data/####/files/.snow/.center.tapk
- /data/data/####/files/.snow/.zip/rsh
- /data/data/####/files/.snow/exp
- /data/data/####/files/bind.dex
- /data/data/####/cache/webviewCacheChromium/f_000001
- /data/data/####/cache/webviewCacheChromium/f_000003
- /data/data/####/files/hello.apk
- /data/data/####/cache/webviewCacheChromium/f_000005
- /data/data/####/cache/webviewCacheChromium/f_000004
- /data/data/####/cache/webviewCacheChromium/f_000007
- /data/data/####/cache/webviewCacheChromium/f_000006
- /data/data/####/shared_prefs/####_preferences.xml.bak
- /data/data/####/files/.snow/.catr.apk
- /data/data/####/files/.snow/.dlme.apk
- /data/data/####/files/.snow/a.xml
- /data/data/####/files/.snow/.ukd
- /data/data/####/shared_prefs/sharedpreferences_batmobi_settings.xml
- /data/data/####/files/.snow/.uok
- /data/data/####/databases/fmoonStore.db-journal
- /data/data/####/files/.default/.p.apk
- /data/data/####/cache/webviewCacheChromium/f_000008
- /data/data/####/shared_prefs/share_data.xml
- /data/data/####/shared_prefs/mobclick_agent_header_####.xml
- /data/data/####/files/.snow/.client
- /data/data/####/files/.snow/.zip/mkdevsh
- /data/data/####/files/95d3861ebbd38c2dc8795952cc6c4d37.data
- /sdcard/.windy/508e8558f784e3a21d3368e4763e2693.tmp
- /data/data/####/cache/webviewCacheChromium/index
- /data/data/####/files/.snow/.uks
Присваивает атрибут 'исполняемый' для следующих файлов:
- /data/data/####/files/.snow/.catr.apk
- /data/data/####/files/.snow/.ir
- /data/data/####/files/.work/postroot.sh
- /data/data/####/files/.snow/.zip/rsh
- /data/data/####/files/.snow/busybox
- /data/data/####/files/.snow/.zip/mkdevsh
- /data/data/####/files/.snow/b.png
Другие:
Запускает следующие shell-скрипты:
- chmod 777 /data/data/####/files/.snow/myshell
- /system/bin/dexopt --dex 27 40 40 10544 /data/data/####/files/hello.apk 1252215201 1311588194 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.ja
- chown 0:0 /system/bin/debuggerd
- chown 0:0 /system/app/Lowerp.apk
- app_process /system/bin com.android.commands.pm.Pm disable org.app.info.grate
- chown 0.0 /system/app/Treese.apk
- mount -o remount,rw /system
- chown 0.0 /system/xbin/.rainin
- chcon u:object_r:system_file:s0 /system/xbin/.cp
- chcon u:object_r:system_file:s0 /system/lib/libsoon.so
- chown 0.0 /system/app/Lowerp.apk
- chown 0.0 /system/app/Dingps.apk
- /system/bin/dexopt --dex 27 41 40 2630000 /data/data/####/files/source.apk 1252215201 748214264 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.
- app_process /system/bin com.android.commands.pm.Pm enable com.fly.me.ssp.be
- rm /system/bin/debuggerd
- app_process /system/bin com.android.commands.pm.Pm enable com.android.upon.hash
- sh /data/data/####/files/.snow/exp /data/data/####/files/.snow /data/data/####/files/.work
- app_process /system/bin com.android.commands.pm.Pm enable com.setting.dysdtool
- chcon u:object_r:system_file:s0 /system/bin/.author
- chmod 777 /data/data/####/files/.snow/.service
- app_process /system/bin com.android.commands.pm.Pm enable com.android.tools.receiver
- chown 0.0 /data/local/tmp/busybox
- app_process /system/bin com.android.commands.pm.Pm disable com.setting.dysdtool
- chcon u:object_r:system_file:s0 /system/xbin/.rainin
- chown 0:0 /data/local/tmp/busybox
- chown 0:0 /system/lib/libsoon.so
- chmod 777 /data/data/####/files/.snow/.dg
- /system/bin/dexopt --dex 27 42 40 94244 /data/data/####/files/bind.dex 1493729860 -888594589 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework.jar
- mount -wo remount rw /system
- chown 0:0 /system/app/oneshs.apk
- chown 0.0 /system/xbin/.cp
- chmod 777 /data/data/####/files/.snow/.zip/r1
- chcon u:object_r:system_file:s0 /system/xbin/supolicy
- app_process /system/bin com.android.commands.pm.Pm disable com.android.tools.receiver
- chcon u:object_r:system_file:s0 /system/bin/debuggerd
- chmod 777 /data/data/####/files/.snow/.zip/mkdevsh
- chown 0.0 /system/app/Banner.apk
- /system/bin/dexopt --dex 27 72 40 2504384 /data/data/####/files/.default/.p.apk 1251299633 -1585053023 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/fra
- chown 0:0 /data/local/tmp/.catr.apk
- chown 0.0 /data/local/tmp/.catr.apk
- chmod 777 /data/data/####/files/.snow/.uok
- mount -o remount ro /system
- chown 0.0 /system/xbin/supolicy
- chown 0:0 /system/xbin/supolicy
- chmod 777 /data/data/####/files/.snow/.ukd
- app_process /system/bin com.android.commands.pm.Pm disable com.fly.me.ssp.be
- chmod 777 /data/data/####/files/.snow/.client
- chmod 777 /data/data/####/files/.snow/.zip/r4
- /data/data/####/files/.snow/exp /data/data/####/files/.snow /data/data/####/files/.work
- chown 0.0 /system/app/oneshs.apk
- mount -ro remount ro /system
- chmod 777 /data/data/####/files/.snow/.zip/r3
- chmod 777 /data/data/####/files/.snow/.zip/r2
- chmod 777 /data/data/####/files/.snow/b.png
- chmod 777 /data/data/####/files/.snow/.uks
- chmod 777 /data/data/####/files/.snow/supolicy
- mount -wo remount,rw /system
- chown 0:0 /system/xbin/.cp
- chown 0:0 /system/xbin/.ci.pm
- chmod 777 /data/data/####/files/.snow/a.xml
- df /system
- mount -o remount rw /system
- chmod 777 /data/data/####/files/.snow/busybox
- chmod 777 /data/data/####/files/.work/postroot.sh
- chown 0:0 /system/app/Dingps.apk
- mount -o remount,ro /system
- <error:2>
- chmod 777 /data/data/####/files/.snow/.catr.apk
- chown 0.0 /system/lib/libsoon.so
- mount -ro remount,ro /system
- chmod 777 /data/data/####/files/.snow/.zip/rsh
- app_process /system/bin com.android.commands.pm.Pm enable org.app.info.grate
- chcon u:object_r:system_file:s0 /system/xbin/.ci.pm
- sh
- chmod 777 /data/data/####/files/.snow/exp
- chown 0.0 /system/bin/debuggerd
- chown 0.0 /system/xbin/.ci.pm
- chown 0:0 /system/xbin/.rainin
- chown 0:0 /system/app/Treese.apk
- app_process /system/bin com.android.commands.pm.Pm disable com.android.upon.hash
- chmod 777 /data/data/####/files/.snow/.zip/rt8
- /system/bin/sh ./mkdevsh
- chmod 777 /data/data/####/files/.snow/.zip/
- chown 0:0 /system/app/Banner.apk
Может автоматически отправлять СМС-сообщения.
