Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 12114: dyl#####,####,6000005-1-190-6_kh5s0160_-0
- 12114516420: ####
- 106575206321505460: dyl#####,####,6000005-1-190-6_kh5s0160_-0
Загружает на исполнение код следующих детектируемых угроз:
- Android.Spy.205.origin
- Android.DownLoader.304.origin
Отправляет данные получаемых СМС-сообщений на удалённый хост.
Сетевая активность:
Подключается к:
- s####.####.com
- iji####.com
- 1####.####.34:19000
- newbyv####.com
- p####.####.com
- 1####.####.226:8002
- 7j####.####.com
- and####.####.com
- c-h####.####.com
- newbyv####.com:10001
- v####.####.com
- w####.####.com
- 1####.####.238:8977
- 1####.####.238
- d####.####.net
- 1####.####.226
- m####.####.com
- i####.####.cn
- greenxs####.net
- a####.####.com
- and####.####.com:8077
Запросы HTTP GET:
- greenxs####.net/resource!chargeUpdate?resTypes=####&dexId=####&dexVer=##...
- iji####.com/tcmn/home/mnfw/1?record_id=####&vncode=####&channel=####&uid...
- v####.####.com/pic/tcmn/mnfw/2015/09/26/7928435801473.jpg
- v####.####.com/pic/tcmn/banner/rule_20160108.jpg
- w####.####.com/r/378609775/index.htm?cm=####
- p####.####.com/cityjson?ie=####
- iji####.com/tcmn/user/get_user_tag?vncode=####&channel=####
- iji####.com/tcmn/pvuv/bind_push?dev_vn=####&channelCode=####&devuid=####...
- greenxs####.net/resource!resource?resTypes=####&appid=####&channel=####&...
- i####.####.cn/iplookup/iplookup.php?format=####
- v####.####.com/pic/tcmn/banner/banner_20160919.jpg
- 1####.####.238/dex/version.txt
- s####.####.com/config/hz-hzv3.conf
- d####.####.net/apkf/3rdapk2/M01/0F/ED/wKhklFi3kP6AenV0AAK1r2oCKfQ234.apk
- w####.####.com/r/p/lyxy.jsp?ln=####&t1=####&cm=####
- 7j####.####.com/tdata_jvh958
- d####.####.net/apkf/3rdapk2/M01/13/6C/wKhklVjwsaCARWV-AAQm7yY3ixc640.apk
- 7j####.####.com/tdata_UnX595
- iji####.com/tcmn/user/get_user_tag?vncode=####&channel=####&uid=####&prv...
- w####.####.com/r/378609775/378609778/index.htm?cm=####
- iji####.com/tcmn/home/user_setting?vncode=####&channel=####&uid=####&prv...
- v####.####.com/pic/tcmn/2016/01/22/5512606039233.jpg
- v####.####.com/pic/tcmn/2016/01/22/5512577928945.jpg
- a####.####.com/fetch.php?gid=####&ch=####&key=####
- v####.####.com/pic/tcmn/2017/04/18/1204236196520.jpg
- a####.####.com/location/ip?ak=####&mcode=####
- 7j####.####.com/tdata_rqD586
- iji####.com/tcmn/iploc/get_ip
- v####.####.com/pic/tcmn/2016/01/22/5512630642883.jpg
- greenxs####.net/doking/smsd!hiGo.action?t=####&dexId=####&dexVer=####&ap...
- v####.####.com/pic/tcmn/2016/01/22/5512595249518.jpg
- 1####.####.238/dex/ldsource.bin
- newbyv####.com/Application/Uploads/Global/58febcefe9f7b.zip
- v####.####.com/pic/tcmn/2017/04/28/5172047716244.jpg
- m####.####.com/course/504703.html?cm=####
- w####.####.com/r/p/index.jsp?vt=####&cm=####
- d####.####.net/apkf/3rdapk2/M01/11/F8/wKhklVjkZD6AChDMAAP3wtpPkhM733.apk
- iji####.com/tcmn/user/get_user_notice?vncode=####&channel=####&uid=####&...
- newbyv####.com/Application/Uploads/Scheme/5859392d01032.zip
- v####.####.com/pic/tcmn/2017/04/28/5171567546996.jpg
- greenxs####.net/active!activeLog.action?provider=####&clickId=####&manu=...
- iji####.com/tcmn/home/notification/1?vncode=####&channel=####&pkg=####&i...
- 1####.####.238:8977/dex/version.txt
- v####.####.com/pic/tcmn/2017/04/28/5171462829765.jpg
Запросы HTTP POST:
- and####.####.com/record-plat/record/upload.do
- and####.####.com/zm-adv-mis/adv/list/query.do
- newbyv####.com/api/v1/phones
- 1####.####.34:19000/v2/chis
- iji####.com/tcmn/pvuv/check_device?tt=####&pkg=####
- greenxs####.net/shop/shop_upload_log
- 1####.####.226:8002/api/sl/vcoderule/getvalid
- newbyv####.com:10001/api/v1/phones
- iji####.com/tcmn/pvuv/record?isRtn=####&pkg=####&apiName=####
- a####.####.com/v1/conf/profile
- 1####.####.226/api/sl/device/upload
- and####.####.com/query-plat/cap/query.do
- and####.####.com:8077/query-plat/cap/query.do
- and####.####.com/android/sms/netpay/prefetch.do
- 1####.####.226/api/sl/vcoderule/getvalid
- s####.####.com/api.php?format=####&t=####
- iji####.com/tcmn/pvuv/sync_online
- iji####.com/tcmn/user/register/2
- and####.####.com/record-plat/seq/query.do
- c-h####.####.com/api.php?format=####&t=####
- 1####.####.226/api/qxt/tel/get
Дропперы:
Был загружен из Интернета следующими детектируемыми угрозами:
- Android.SmsSend.12149
Другие:
Может автоматически отправлять СМС-сообщения.
