Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.542.origin
- Android.Triada.218.origin
- Android.Triada.219.origin
Сетевая активность:
Подключается к:
- trac####.####.com
- a####.####.com:9090
- d3656q1####.####.net
- face####.com
- technol####.net
- mo####.####.online
- atracki####.####.com
- trackme####.com
- b####.####.com
- t####.global
- wina####.com
- m####.####.com
- pag####.####.com
- wina####.com:8006
- 1####.####.228:8006
- a####.####.in
- f####.####.com
- melad####.com
- a####.####.com
- j####.####.com
- serv####.####.com
- c####.####.com
- rockt####.com
- t####.####.info
Запросы HTTP GET:
- m####.####.com/js/wglibs/mgWidget_4.js
- a####.####.in/interface/shaziow.php?subid=####&pjid=####&uid=####&cpid=#...
- d3656q1####.####.net/sail732.so
- technol####.net/wp-content/themes/yeahthemes-sparkle/js/jquery.flexslide...
- technol####.net/wp-content/themes/yeahthemes-sparkle/js/yt.script.min.js...
- rockt####.com/d/15143458cac3ab0e1bc?source=####&sub=####&do=####&test=####
- technol####.net/wp-content/themes/yeahthemes-sparkle/css/animate.css?ver...
- t####.global/view/lHTqZDHhsyHUOrZ4ihSalSksXYxTJcakGSMaWKX0Cs784MU?c=####...
- technol####.net/wp-content/themes/yeahthemes-sparkle/style.css
- t####.####.info/9fd67b5e-bf36-48d8-b97c-52a4c60633dd?Pubid=####&clickid=...
- technol####.net/wp-content/plugins/wp-share-buttons/Front_end/js/custom_...
- rockt####.com/gw?url=####&vId=####&ef=####&ch=####&nid=####&sub=####&sou...
- technol####.net/wp-content/themes/yeahthemes-sparkle/js/yt.custom.min.js...
- technol####.net/wp-content/themes/yeahthemes-sparkle/framework/css/boots...
- a####.####.com/sdkcp/plugUpdate.jsp?uid=####&plugVersion=####&imei=####&...
- technol####.net/mobile/iphone/apple-iphone-8-alleged-no-home-button/?sub...
- mo####.####.online/?utm_term=####&clickverify=####&utm_content=####
- f####.####.com/s/lato/v13/MZ1aViPqjfvZwVD_tzjjkwLUuEpTyoUstqEm5AMlJo4.ttf
- technol####.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=####
- c####.####.com/i.js
- melad####.com/04r59/YKT-/dKez/cKqiKvI/Iu__fqw5kvkGPugJH-EVtB8s73bbuwn4jw...
- serv####.####.com/119987?t=####&ref=####&lu=####
- a####.####.in/interface/sale_static_new.php?kehuid=####&xiangid=####&chu...
- technol####.net/wp-content/themes/yeahthemes-sparkle/fonts/fontawesome-w...
- technol####.net/wp-content/themes/yeahthemes-sparkle/js/jquery.sharrre.m...
- serv####.####.com/105160/1?w=####&h=####&cols=####&pv=####&cbuster=####&...
- technol####.net/wp-content/plugins/wp-share-buttons/style/front.end.css?...
- a####.####.com:9090/wapbill/sale_static_newcp.jsp?uid=####&Cptime=####&p...
- t####.global/hrfp?url=####
- pag####.####.com/pagead/js/adsbygoogle.js
- melad####.com/29A667/AthB/DNxR/VJAN66HM-3TkTRFqPFhi8ufC496Ayu1CMUE8IU1nQ...
- rockt####.com/d/15143458cac3ab0e1bc?source=####&sub=####
- a####.####.com/wapbill/sale_static_newcp.jsp?uid=####&Cptime=####&plugVe...
- pag####.####.com/pagead/js/r20170508/r20170110/show_ads_impl.js
- trackme####.com/r/361ce7a8-370c-11e7-8214-11413ea6553c/1/
- trackme####.com/r/361ce7a8-370c-11e7-8214-11413ea6553c/0/
- face####.com/plugins/likebox.php?href=####&w####&height=####&colorscheme...
- technol####.net/wp-includes/js/wp-emoji-release.min.js?ver=####
- a####.####.in/interface/vsupdate_hk.php?vers=####&cid=####&qid=####&uid=...
- technol####.net/wp-content/themes/sparkle-childtheme/style.css?ver=####
- j####.####.com/t/e/technologycraze.net.105160.js?t=####
- atracki####.####.com/transaction/post_click?offer_id=####&aff_id=####&af...
- technol####.net/wp-content/themes/yeahthemes-sparkle/framework/js/bootst...
- mo####.####.online/?utm_medium=####&utm_campaign=####&cid=####
- trac####.####.com/warning.html?err=####
- b####.####.com/beacon.js
- technol####.net/wp-content/themes/yeahthemes-sparkle/css/flexslider.css?...
- technol####.net/wp-content/themes/yeahthemes-sparkle/css/font-awesome.cs...
- m####.####.com/mghtml/framehtml/c/t/e/technologycraze.net.105160.html
- f####.####.com/css?family=####&ver=####
- mo####.####.online/proc.php?3490945####
- f####.####.com/s/robotoslab/v6/dazS1PrQQuCxC3iOAJFEJTdGNerWpg2Hn6A-BxWgZ...
- technol####.net/wp-includes/js/wp-embed.min.js?ver=####
- technol####.net/wp-includes/js/jquery/jquery.js?ver=####
- a####.####.in/interface/mothdow.php?subid=####&pjid=####&uid=####&Imsi=#...
Запросы HTTP POST:
- 1####.####.228:8006/service/com.ads.basic.model.ServerAddress?type=####
- wina####.com:8006/service/com.ads.sales.model.Mobile
- a####.####.in/wapbill/geturlow.php?imsi=####&net=####&subid=####&pjid=##...
- wina####.com/service/com.ads.basic.model.ServerAddress?type=####
- wina####.com/service/com.like.system.model.ChipBind
- a####.####.com/app_logs
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/databases/cc.db-journal
- /data/data/####/cache/webviewCacheChromium/f_00000a
- /data/data/####/databases/ua.db
- /data/data/####/cache/webviewCacheChromium/f_00000b
- /data/data/####/cache/webviewCacheChromium/f_00000e
- /data/data/####/cache/webviewCacheChromium/f_00000d
- /data/data/####/cache/hisailer434393019.so
- /data/data/####/cache/webviewCacheChromium/f_00000f
- /data/data/####/apps_/com.plugin.main/dalvik-cache/base-1.dex
- /data/data/####/files/1493728906744.apk
- /data/data/####/databases/cc.db
- /data/data/####/files/1493728912376.apk
- /data/data/####/files/U922.apk
- /data/data/####/files/webcache/localstorage/http_www.technologycraze.net_0.localstorage-journal
- /data/data/####/cache/webviewCacheChromium/data_2
- /data/data/####/cache/webviewCacheChromium/data_3
- /sdcard/PluginLog/CrashLog/CrashLog_20170502124146_2119.log
- /data/data/####/cache/webviewCacheChromium/data_1
- /data/data/####/cache/webviewCacheChromium/data_0
- /data/data/####/databases/ua.db-journal
- /data/data/####/databases/net_dc_sdk.db
- /data/data/####/cache/webviewCacheChromium/f_000010
- /data/data/####/files/sail732.so
- /data/data/####/databases/webviewCookiesChromium.db-journal
- /data/data/####/files/1493728890422.apk
- /data/data/####/cache/webviewCacheChromium/f_000002
- /data/data/####/files/1493728941338.apk
- /sdcard/PluginLog/CrashLog/CrashLog_20170502124152_2327.log
- /data/data/####/cache/hisailer1897251664.so
- /data/data/####/cache/hisailer1383528150.so
- /data/data/####/shared_prefs/umeng_general_config.xml
- /data/data/####/files/einqhe.apk
- /data/data/####/shared_prefs/userconfig.xml
- /data/data/####/files/.umeng/exchangeIdentity.json
- /data/data/####/cache/webviewCacheChromium/f_000003
- /data/data/####/cache/webviewCacheChromium/f_000011
- /data/data/####/shared_prefs/bill.xml
- /data/data/####/cache/webviewCacheChromium/f_00000c
- /data/data/####/files/libs_data
- /sdcard/PluginLog/CrashLog/CrashLog_20170502124220_2392.log
- /data/data/####/files/.imprint
- /data/data/####/shared_prefs/Argolisten.xml
- /sdcard/PluginLog/CrashLog/CrashLog_20170502124129_1822.log
- /data/data/####/cache/hisailer431383042.so
- /data/data/####/files/exid.dat
- /data/data/####/shared_prefs/jihuos.xml
- /data/data/####/files/umeng_it.cache
- /data/data/####/cache/webviewCacheChromium/f_000009
- /data/data/####/cache/webviewCacheChromium/f_000008
- /data/data/####/databases/su.sqlite
- /data/data/####/files/core_service
- /data/data/####/databases/su.sqlite-journal
- /data/data/####/cache/webviewCacheChromium/f_000001
- /sdcard/Android/.zuid
- /data/data/####/files/sfjdod.so
- /data/data/####/cache/webviewCacheChromium/f_000005
- /data/data/####/cache/webviewCacheChromium/f_000004
- /data/data/####/cache/webviewCacheChromium/f_000007
- /data/data/####/cache/webviewCacheChromium/f_000006
- /data/data/####/databases/webview.db-journal
- /data/data/####/files/tmpversion
- /data/data/####/shared_prefs/umeng_general_config.xml.bak
- /data/data/####/shared_prefs/share_cache.pref.xml
- /data/data/####/files/1493728886519.apk
- /data/data/####/files/btsailer.apk
- /data/data/####/cache/a.log
- /data/data/####/apps_/com.plugin.main/Signature/Signature_0.key
- /data/data/####/files/webcache/ApplicationCache.db-journal
- /data/data/####/apps_/com.plugin.main/apk/base-1.apk
- /data/data/####/cache/.android/ojchs1.png
- /data/data/####/databases/net_dc_sdk.db-journal
- /data/data/####/cache/webviewCacheChromium/index
Другие:
Запускает следующие shell-скрипты:
- /system/bin/dexopt --dex 27 41 40 319872 /data/data/####/files/1493728941338.apk 1252819191 -2016630105 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
- /system/bin/dexopt --dex 27 41 40 319872 /data/data/####/files/1493728912376.apk 1252819191 -2016630105 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
- /system/bin/dexopt --dex 27 40 40 14036 /data/data/####/files/einqhe.apk 1252819186 -696810223 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framewor
- /system/bin/dexopt --dex 27 53 40 113728 /data/data/####/files/U922.apk 1251639931 1963997904 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/framework
- /system/bin/dexopt --dex 27 57 40 49256 /data/data/####/files/btsailer.apk 1251624652 -1056122757 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework/frame
- /system/bin/dexopt --dex 27 41 40 319872 /data/data/####/files/1493728906744.apk 1252819191 -2016630105 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
- /system/bin/dexopt --dex 27 41 40 319872 /data/data/####/files/1493728886519.apk 1252819191 -2016630105 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
- /system/bin/dexopt --dex 27 86 40 179000 /data/data/####/apps_/com.plugin.main/apk/base-1.apk 1252819191 -25815708 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /syste
- /system/bin/dexopt --dex 27 41 40 319872 /data/data/####/files/1493728895416.apk 1252819191 -2016630105 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
- /system/bin/dexopt --dex 27 41 40 319872 /data/data/####/files/1493728890422.apk 1252819191 -2016630105 45 /system/framework/core.jar /system/framework/core-junit.jar /system/framework/bouncycastle.jar /system/framework/ext.jar /system/framework
Может автоматически отправлять СМС-сообщения.
