Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.16.origin
- Android.Mixi.13.origin
Сетевая активность:
Подключается к:
- s####.####.com
- tou####.com
- q####.####.cn
- g####.####.com
- i####.####.com
- d####.####.com
- o####.####.com
- p####.####.com
- w####.####.cn
- api####.####.com
- m####.####.com
- t####.####.cn
- a####.####.com
- b####.####.com
Запросы HTTP GET:
- s####.####.com/site/download/app/pl/news_article/112/ss_plugin_config.js...
- i####.####.com/2/article/extensions/v3/?iid=####&device_id=####&ac=####&...
- i####.####.com/article/content/15/1/6419139612693758210/6419139612693758...
- s####.####.com/list/190x124/1dcd001a4ec4645f31d8.webp
- d####.####.com/get_domains/v4/?ac=####&channel=####&aid=####&app_name=##...
- w####.####.cn/mmopen/NKkTUbVKQ0tGlOANNuq4TfYuXPiaKGEbgDA7QoAviaHPXicCLic...
- t####.####.cn/2184792951/50/5614941665/1
- s####.####.com/site/download/app/hijack/108/black_list_20170331.json?iid...
- s####.####.com/service/2/app_notify/?allow_notify=####&leave_time=####&i...
- s####.####.com/list/190x124/213a0002e83715f7862b.webp
- i####.####.com/2/article/hot_words/?iid=####&device_id=####&ac=####&chan...
- s####.####.com/2/user/info/?ac=####&channel=####&aid=####&app_name=####&...
- s####.####.com/feedback/2/list/?appkey=####&count=####&iid=####&device_i...
- i####.####.com/service/3/app_components/?screen_type=####&iid=####&devic...
- t####.####.cn/crop.0.0.180.180.50/82394b77jw1e8qgp5bmzyj2050050aa8.jpg
- s####.####.com/site/download/app/js/106/detect.js.dat
- i####.####.com/follow/update/tips/?update_time=####&update_version=####&...
- i####.####.com/search/suggest/homepage_suggest/?ac=####&channel=####&aid...
- g####.####.com/cr/sdk/goplaysdk_statistics_method.dat
- m####.####.com/monitor/settings/?_test=####&iid=####&device_id=####&ac=#...
- s####.####.com/thumb/2200/2918096063
- i####.####.com/service/1/app_activity/?view_cursor=####&iid=####&device_...
- i####.####.com/article/content/15/1/6403664898613576194/6403664898613576...
- i####.####.com/article/content/15/1/6412777076999667970/6412781920500843...
- s####.####.com/origin/3791/5070639578
- tou####.com/__utm.gif?account=ad_detect&event=pageInfo&html=0&interface=...
- p####.####.com/ttc/3541093/2017/0519/content_30923962_1.html
- i####.####.com/article/v1/tab_comments/?group_id=####&item_id=####&aggr_...
- s####.####.com/wenda/v1/answer/detail/6421824367126118657/?group_id=####...
- p####.####.com/article/content/15/1/6421803173975916801/6421807583597691...
- m####.####.com/monitor/settings/?ac=####&channel=####&aid=####&app_name=...
- s####.####.com/site/app_web_article_online_updates/5.5.0/android.zip
- p####.####.com/list/190x124/1a6b00103bf1599b9606.webp
- w####.####.cn/mmopen/NKkTUbVKQ0tiaaRXzgFW4hn3ZDLWLGHS0YxDficSROialIqkWYM...
- s####.####.com/large/1dcd001a4ec4645f31d8
- p####.####.com/article/content/15/1/6421780061100556546/6421783869988536...
- p####.####.com/article/content/15/1/6421818982415728897/6421818982415728...
- q####.####.cn/qqapp/100290348/FDD86908CA8655F3909FC238EE3261BF/100
- w####.####.cn/mmopen/NKkTUbVKQ0vpib52elyzpeH07VMyQg00zvxK9ULVlQyKuA5b0Ho...
- i####.####.com/article/content/15/1/6421675979316855041/6421678160051438...
- i####.####.com/2/article/city/?ac=####&channel=####&aid=####&app_name=##...
- i####.####.com/push/get_service_addrs/?iid=####&device_id=####&ac=####&c...
- s####.####.com/list/190x124/216d00175ba0bcf33dd0.webp
- s####.####.com/image/avatar.png
- m####.####.com/monitor/appmonitor/v1/settings?iid=####&device_id=####&ac...
- s####.####.com/thumb/1dcd001a4ec4645f31d8
- s####.####.com/site/download/plugin_patch/plugin/c346702aec1b91fbbc081bf...
- p####.####.com/article/content/15/1/6421824367126118657/6421824367126118...
- i####.####.com/entry/subscription_list/v1/?req_type=####&iid=####&device...
- s####.####.com/site/promotion/misc/whitelist.json?v=####&iid=####&device...
- s####.####.com/list/190x124/216d001748c8e4411e87.webp
- i####.####.com/promotion/app/lt/?ac=####&channel=####&aid=####&app_name=...
- p####.####.com/article/content/15/1/6420006446838907138/6420011662266335...
- p####.####.com/list/640x360/1a9b00017050c5d8408c
- s####.####.com/service/2/app_alert/?has_market=####&lang=####&carrier=##...
- s####.####.com/collect/applog/v3/settings/?ac=####&channel=####&aid=####...
- p####.####.com/list/190x124/1dcd00021799f7f12f99.webp
- s####.####.com/list/190x124/1d2b00014fac93da7b35.webp
- b####.####.com/app/config?os=####&key=####&sdkv=####
Запросы HTTP POST:
- api####.####.com/v3/log/init
- g####.####.com/cr/sv/getEPList
- i####.####.com/location/suloin/?ac=####&channel=####&aid=####&app_name=#...
- i####.####.com/service/1/collect_settings/?iid=####&device_id=####&ac=##...
- i####.####.com/api/news/feed/v48/?ac=####&channel=####&aid=####&app_name...
- s####.####.com/service/2/app_log_config/?iid=####&device_id=####&ac=####...
- o####.####.com/v2/check_config_update
- o####.####.com/v2/get_update_time
- i####.####.com/service/1/z_app_stats/?iid=####&device_id=####&ac=####&ch...
- i####.####.com/service/1/collect_settings/?ac=####&channel=####&aid=####...
- i####.####.com/article/category/get_subscribed/v1/?ac=####&channel=####&...
- a####.####.com/app_logs
- i####.####.com/service/1/refresh_ad/?iid=####&device_id=####&ac=####&cha...
- i####.####.com/article/category/sort/v1/?ac=####&channel=####&aid=####&a...
- s####.####.com/service/2/app_log_config/?ac=####&channel=####&aid=####&a...
- d####.####.com/xs.gif?k=####&iv=####&c=####&dm=####&ac=####&s=####
- i####.####.com/wenda/v1/answer/information?wd_version=####&iid=####&devi...
- i####.####.com/api/news/feed/v48/?iid=####&device_id=####&ac=####&channe...
- i####.####.com/service/14/app_ad/?_unused=####&carrier=####&mcc_mnc=####...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/XmSmLockFile.txt
- <Package Folder>/cache/load_dex.tmp
- /data/anr/traces.txt
- <Package Folder>/PreExcuModsInfo.txt
- <Package Folder>/ReadyHost.txt
- <Package Folder>/app_file_dex/MasterControl.jar
Другие:
Запускает следующие shell-скрипты:
- getenforce
- sh <Package Folder>/files/us.Z91Jq8SaPlAkInK9zjXm2oxZC93qh -h c48756b39e9e402ca3e1026d88799eaa <Package Folder>/.syslib-
- /data/data/####/files/us.Z91Jq8SaPlAkInK9zjXm2oxZC93qh -h c48756b39e9e402ca3e1026d88799eaa /data/data/####/.syslib-
- chmod 0771 <Package Folder>/.syslib-
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.eu0M3PDZaI1fLgXyMuA7R9085WS3E > /dev/null 2>&1
- getprop persist.vivo.multiwindow
- /data/data/####/files/us.0ZG02z2aX3JN10Ds04j2UXGuxFS6I -h c48756b39e9e402ca3e1026d88799eaa /data/data/####/.syslib-
- getprop persist.vivo.multiwindow_active
- /data/data/####/lib/libsupervisor.so #### com.ss.android.message.NotifyService ####:push /data/data/#### 0
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/GLO6G3IaT.jar > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.0ZG02z2aX3JN10Ds04j2UXGuxFS6I > /dev/null 2>&1
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/GLO6G3IaT.dex > /dev/null 2>&1
- /data/data/####/files/us.GLO6G3IaThvDZ0daU8RIih847lsk4 -h c48756b39e9e402ca3e1026d88799eaa /data/data/####/.syslib-
- chmod 0771 /data/data/####/.syslib-
- sh <Package Folder>/files/us.GLO6G3IaThvDZ0daU8RIih847lsk4 -h c48756b39e9e402ca3e1026d88799eaa <Package Folder>/.syslib-
- sh <Package Folder>/files/us.eu0M3PDZaI1fLgXyMuA7R9085WS3E -h c48756b39e9e402ca3e1026d88799eaa <Package Folder>/.syslib-
- <error:2>
- sh <Package Folder>/files/us.0ZG02z2aX3JN10Ds04j2UXGuxFS6I -h c48756b39e9e402ca3e1026d88799eaa <Package Folder>/.syslib-
- getprop ro.build.version.emui
- <dexopt>
- /data/data/####/files/us.eu0M3PDZaI1fLgXyMuA7R9085WS3E -h c48756b39e9e402ca3e1026d88799eaa /data/data/####/.syslib-
Может автоматически отправлять СМС-сообщения.
