Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.248.origin
- Android.Triada.247.origin
- Android.Triada.246.origin
Сетевая активность:
Подключается к:
- n####.####.com:10091
- 6####.####.140
- i####.####.com
Запросы HTTP GET:
- i####.####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/0...
- 6####.####.140/ando/i/mon?k=####&d=####
- i####.####.com/ando-res/m/C33lxVvC6ZtQDRJA5KeK2YsXyxkNOy4TcorkYcutfuAbsH...
- i####.####.com/ando-res/ads/18/19/da964672-e0f2-4f69-a63b-cea979b9a721/7...
- i####.####.com/ando-res/ads/4/5/d73ab4a4-4c75-43a7-a3c9-5bdabd9437c8/c21...
Запросы HTTP POST:
- 6####.####.140/ando/x/req?app_id=####&r=####
- 6####.####.140/ando/x/liv?app_id=####&r=####
- 6####.####.140/ando/x/lis?app_id=####&r=####
- n####.####.com:10091/opaService/link
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/ux_3miOdocSYzfUg/R3z7hcHWocvGQDI0HbsMiIwySc4=/903740f7-0a48-4485-beb7-ca199800ed7a.res
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/YPs8FjvhLZ7D51gB-I--ASMe2bgDV8l_paHYvYr7EN0=.new
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/4t03lBGO86r-nigeqRMjxw==
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/G6zhhMqKvs8-f1dK/9sgPc8AXsrD0_Gak27brrdHSnYQgx0Oj.old
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/yhEtcDOEg2HenWWnGjgbVqnQYfWewxnRQUhd5buqEO4=.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/u3s9AAgL7SWzYB0a6C2CUEP7exE=
- <Package Folder>/shared_prefs/cuf_config.xml
- <Package Folder>/files/dxit
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/b7MV4-Fr7I_tE6xy/s4HKpQeC0-wdj73o.new
- <Package Folder>/files/dxit.jar
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/ux_3miOdocSYzfUg/XuYJy09Stxtf1ZPG/043e6a36-2be4-44a0-aa4b-db650c74ca85.res.temp
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_tPsNaDfO0x4znb7D
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/VuRVjQKk7PZC7Xgpe2wAbyQD8dc=.old
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/HbINfCb_yBEIrue2ZDgjxg==.old
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_17zOGLKYx5lBdxFN4TPMvbFKvaA=
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/ux_3miOdocSYzfUg/R3z7hcHWocvGQDI0HbsMiIwySc4=/0cc91ddc-01e3-49ad-991c-ea8916293daa.res
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/MvotLLQO3kv2JrKoXoNcnQ==/n8rODhmH3fgOkAQGkf1EI_G6Vk8=.temp
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/ux_3miOdocSYzfUg/XuYJy09Stxtf1ZPG/ce736774-1708-4df1-b0fc-d338fb26aa76.res.temp
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/VuRVjQKk7PZC7Xgpe2wAbyQD8dc=.new
- <Package Folder>/files/7S4eB9ISYPi1Eh1oPQfbbA==/-S4b3MnUNlE1o3WNokLOJ-vd4S4=
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/-invBv1ZYIbhhWSPvOtb9uBLReDmE2jp.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/Ayg6nHhpUbg2zMqtL2iEfupoXfHaobA4B1_GLZkGR50=.new
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_5Wcbes9HKMzZ5ZrngRr_dw==-journal
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/eD8cnOZbdX8YjJAo4SvV3DSovDPHdhIYsybHWw==.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/vfkQXQuZ0Uh7PHXbfPjFEMuIXVBwu0J_.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/X7WzqJSOEILHWDKx1Rv5eLSzj3LGerwMfB7tzQ==.new
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_tPsNaDfO0x4znb7D-journal
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/ux_3miOdocSYzfUg/XuYJy09Stxtf1ZPG/94507fe9-9b96-4027-aa6f-122f2efadbe2.res.temp
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/lJL5jLa-PptO2f1R/9DXBXPOD7uJOVrpPOXpWNvNVCh8=.temp
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/MvotLLQO3kv2JrKoXoNcnQ==/Hv_ow4S_OohhnDdpNugI_g==
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/u3s9AAgL7SWzYB0a6C2CUEP7exE=.new
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_rvjmyAzuQ8EOyBALxbpVXA==-journal
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/590DJ301dyO1897156hMFw==/data.dat.tmp
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/l3ynHBqNaU1UdVnPunMp3Q==.new
- <Package Folder>/databases/books.db-journal
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/NVbyy0Hh2X-KfV7Nhj_QTg==/SZvOLwF8v3IPWYu9.zip
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/VuRVjQKk7PZC7Xgpe2wAbyQD8dc=
- <Package Folder>/.jiagu/libjiagu.so
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/gGEBWuvvEOp5rkVNEp9RudtGHFU=.new
- <Package Folder>/files/.jglogs/.jg.ic
- <Package Folder>/databases/readerbook.db-journal
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/G6zhhMqKvs8-f1dK/9sgPc8AXsrD0_Gak27brrdHSnYQgx0Oj
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_rvjmyAzuQ8EOyBALxbpVXA==
- <Package Folder>/databases/cc/cc.db-journal
- <Package Folder>/files/dxit.png
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/-wliSVmuGemoNQWZ-tdVSVoOuws=.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/HbINfCb_yBEIrue2ZDgjxg==
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/QYrwGJAKk0beNzeXnpWYghMXyIDDHZD6.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/kyjLiJqt0u9CKG0zb1z7URy9qEkmveyd.new
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_5Wcbes9HKMzZ5ZrngRr_dw==
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/OivhaA-TMUc5S7BjRogPug==.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/HbINfCb_yBEIrue2ZDgjxg==.new
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/MvotLLQO3kv2JrKoXoNcnQ==/jjl_pBq_HxAZ5xvQ
- <Package Folder>/databases/config.db-journal
- <Package Folder>/app_jgls/.log.ls
- <Package Folder>/code-5360618/M8XmICq0IWUhJCLh
- <Package Folder>/files/hxjbvg_d/hxjbvg_f.zip
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/4t03lBGO86r-nigeqRMjxw==.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/HvPFqB-QiXgtvpg8wW3WIIv5BGArUPsmHSsXDA==.new
- <Package Folder>/files/rdata_comnmrtdsnm.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/PWKT0rXWavDvr0QiU5PmM5pVMLPwTMyb.new
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/7hTsgvmKquvQQiHgUazAxw==/AnDcxAnidr_adxZCfXWpvpthwmAVD28d.new
- <Package Folder>/databases/cc/cc.db
- <Package Folder>/code-5360618/r6quuKkKGeIKV2gg/VtFC-QH4PhE=.jar
- <Package Folder>/app_jgls/.log.lock
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/files/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_files/G6zhhMqKvs8-f1dK/9sgPc8AXsrD0_Gak27brrdHSnYQgx0Oj.new
- <Package Folder>/databases/0IYM3gizS-u_hisWc8PYRi0zfpcIVHO4_17zOGLKYx5lBdxFN4TPMvbFKvaA=-journal
- <Package Folder>/files/_CLepWtjVaWfsvkHokZdhZZoNTNJO8Rg/z7vTSN7vQUmmAbwtBRcuVQ==/runner_info.prop
Другие:
Запускает следующие shell-скрипты:
- getprop
- chmod 755 /data/data/####/.jiagu/libjiagu.so
- chmod 755 <Package Folder>/.jiagu/libjiagu.so
- cat /proc/version
- sh <Package Folder>/code-5360618/M8XmICq0IWUhJCLh -p <Package> -c com.nmrt.dsnm.badevw.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- getprop ro.product.cpu.abi
- getprop ro.board.platform
- cat /sys/class/net/wlan0/address
- <dexopt>
- /data/data/####/code-5360618/M8XmICq0IWUhJCLh -p #### -c com.nmrt.dsnm.badevw.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует специальную библиотеку для скрытия исполняемого байткода.
Может автоматически отправлять СМС-сообщения.
