Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.333.origin
- Android.Sprovider.6.origin
- Android.Backdoor.336.origin
- Android.Xiny.10.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Backdoor.336.origin
Сетевая активность:
Подключается к:
- s####.####.com
- a####.####.in
- xasw####.com
- r####.####.com
- d####.####.com
- e####.####.com
- apm-col####.####.com
- 00####.com
- m####.####.COM
- l####.####.net
- a####.####.com
- 00####.com:61070
Запросы HTTP GET:
- a####.####.in/upload/update/blue_3.7.0.png
- a####.####.com/search.php?adnum=####&os=####&ngp=####&aid=####&sid=####&...
- e####.####.com/thinking/group/exp
- xasw####.com/Dev1ceTest/C_Nform_default_ghx_1.5.0.png
- d####.####.com/thinking/group/rtt_0511_669.apk
Запросы HTTP POST:
- 00####.com/wall/9apps/version
- a####.####.in/l.php
- m####.####.COM/gcview/api/910
- r####.####.com/b/?version=####&publisherid=####&app_id=####&slotid=####&...
- m####.####.COM/pmsg/api/20
- a####.####.com/app_logs
- apm-col####.####.com/cpi/crash
- l####.####.net/gkview/info/601
- s####.####.com/ggview/rsddateindex
- 00####.com/wall/version/version.pb
- m####.####.COM/errorview/api/601
- 00####.com:61070/wall/9apps/version
- a####.####.com/oversea_adjust_and_download_write_redis/notify/download/app
- a####.####.in/r.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_tmp_down/t.tmp
- <Package Folder>/files/.snow/.ir
- <Package Folder>/shared_prefs/<Package>.prefs.xml.bak
- <Package Folder>/shared_prefs/gfprf.xml
- <Package Folder>/databases/city.db
- <Package Folder>/files/cpf/cpf.txt
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/tx_shell/libshella-0.0.2.so
- <Package Folder>/files/.imprint
- <Package Folder>/databases/crashannals.db
- <Package Folder>/files/32d0c3764a75d854745f1d868f8081e3.data
- <Package Folder>/files/.snow/busybox
- <Package Folder>/files/.snow/exp
- <Package Folder>/shared_prefs/com.android.ad.prefs.xml
- <Package Folder>/files/.snow/.dico.apk
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/databases/3c273cb385cbaa6e1599215a5319a036.db-journal
- <Package Folder>/files/.snow/.zip/mkdevsh
- <Package Folder>/theme/clock
- <Package Folder>/files/.snow/.client
- <Package Folder>/files/.snow/.catr.apk
- <Package Folder>/files/.snow/.uks
- <Package Folder>/files/.snow/.dg
- <Package Folder>/shared_prefs/<Package>.prefs.xml
- <Package Folder>/files/.snow/checkFile13
- <Package Folder>/files/.snow/supolicy
- <Package Folder>/files/.snow/.uok
- <Package Folder>/shared_prefs/com.andorid.plugin.prefs.xml
- <Package Folder>/files/.snow/checkFile0
- <Package Folder>/files/.androidod/ac.jar
- <Package Folder>/files/.snow/.ukd
- <Package Folder>/databases/shuffle.db-journal
- <Package Folder>/files/.androidod/ac.jar.a
- <Package Folder>/files/.snow/.dsmt.apk
- <Package Folder>/shared_prefs/moertry.xml
- <Package Folder>/shared_prefs/gpac.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/files/.snow/myshell
- <Package Folder>/ifbdaemon
- <Package Folder>/files/.work/postroot.sh
- <Package Folder>/files/.snow/.dlsb.apk
- <Package Folder>/databases/gpab.db
- <Package Folder>/files/mobclick_agent_cached_<Package>42
- <Package Folder>/files/mylala/.p.apk
- <Package Folder>/app_ttmp/t.jar
- <Package Folder>/files/.snow/.service
- <Package Folder>/databases/city.db-journal
- <Package Folder>/shared_prefs/com.android.update.prefs.xml.bak
- <Package Folder>/shared_prefs/com.android.update.prefs.xml
- <Package Folder>/databases/<Package>b-journal
- <Package Folder>/databases/crashannals.db-journal
- <Package Folder>/files/wddex.jar
- <Package Folder>/files/.snow/a.xml
- <Package Folder>/shared_prefs/<Package>s.xml
- <Package Folder>/app_sgdex/dos.jar
- <Package Folder>/files/.snow/.dlme.apk
- <Package Folder>/databases/gpab.db-journal
- <Package Folder>/files/.snow/b.png
- <Package Folder>/shared_prefs/apache.httptaskinfo.prefs.xml
- <Package Folder>/files/mylala/32d0c3764a75d854745f1d868f8081e3.data.temp
- <Package Folder>/files/.snow/.zip/r1
- <Package Folder>/files/.snow/.zip/r4
- <Package Folder>/shared_prefs/gfprf.xml.bak
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/.snow/.zip/r3
- <Package Folder>/files/.snow/.zip/r2
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/.snow/.zip/rsh
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/.snow/.center.tapk
- <Package Folder>/files/org.apache.http2.tmp
- <Package Folder>/files/.snow/.zip/rt8
- <Package Folder>/shared_prefs/TestinCrash.xml
Другие:
Запускает следующие shell-скрипты:
- chown 0.0 /system/bin/.author
- app_process /system/bin com.android.commands.pm.Pm disable org.app.info.grate
- mount -o remount,rw /system
- chown 0.0 /system/xbin/.rainin
- mount -o remount,ro /system
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- chmod 777 <Package Folder>/files/.snow/a.xml
- chmod 777 <Package Folder>/files/.snow/.zip/rsh
- chmod 777 <Package Folder>/files/.snow/.ukd
- chcon u:object_r:system_file:s0 /system/bin/debuggerd
- chown 0.0 /system/app/Banner.apk
- chmod 777 <Package Folder>/files/.snow/.uks
- chmod 777 <Package Folder>/files/.snow/.zip/rt8
- chown 0:0 /system/app/oneshs.apk
- mount -o remount ro /system
- /data/data/####/files/.snow/exp /data/data/####/files/.snow /data/data/####/files/.work
- app_process /system/bin com.android.commands.pm.Pm disable com.example.gpsdk
- chmod 777 <Package Folder>/files/.snow/exp
- /system/bin/app_process /system/bin com.android.commands.am.Am start -n com.android.settings/com.android.settings.cyanogenmod.superuser.RequestActivity --es socket /dev/com.android.settings/.socket2176 --user 0
- chown 0:0 /system/app/Dingps.apk
- mount -ro remount,ro /system
- chcon u:object_r:system_file:s0 /system/xbin/.ci.pm
- chcon u:object_r:system_file:s0 /system/xbin/supolicy
- app_process /system/bin com.android.commands.pm.Pm disable com.fly.me.ssp.be
- chmod 777 <Package Folder>/files/.snow/.zip/
- chown 0.0 /system/app/smalin.apk
- chown 0:0 /system/xbin/.cp
- chown 0.0 /system/app/Lowerp.apk
- chown 0.0 /system/app/Dingps.apk
- chcon u:object_r:system_file:s0 /system/bin/.author
- app_process /system/bin com.android.commands.pm.Pm disable com.android.tools.receiver
- chown 0.0 /data/local/tmp/busybox
- chmod 700 /data/data/####/tx_shell/libshella-0.0.2.so
- mount -wo remount rw /system
- app_process /system/bin com.android.commands.pm.Pm disable com.android.upon.hash
- chown 0:0 /system/xbin/.ci.pm
- chown 0:0 /system/app/smalin.apk
- app_process /system/bin com.android.commands.pm.Pm disable com.setting.dysdtool
- <Package Folder>/ifbdaemon <Package> <Package>.widget.AnalogClockService 10 0
- <error:2>
- chown 0.0 /system/app/Treese.apk
- app_process /system/bin com.android.commands.pm.Pm enable org.app.info.grate
- chmod 777 <Package Folder>/ifbdaemon
- /system/bin/sh
- chown 0:0 /system/app/Treese.apk
- app_process /system/bin com.android.commands.pm.Pm enable com.example.gpsdk
- app_process /system/bin com.android.commands.pm.Pm enable com.android.upon.hash
- chmod 777 <Package Folder>/files/.snow/.uok
- /system/bin/app_process /system/bin com.android.commands.am.Am broadcast -n com.android.settings/com.android.settings.cyanogenmod.superuser.SuReceiver --ei binary_version 16 --es from_name u0_a44 --es desired_name --ei uid 10044 --ei desired_uid 0 --es c
- chcon u:object_r:system_file:s0 /system/xbin/.rainin
- chown 0:0 /data/local/tmp/busybox
- chown 0:0 /system/lib/libsoon.so
- getprop ro.build.version.sdk
- chown 0.0 /system/xbin/supolicy
- chmod 777 <Package Folder>/files/.snow/.dg
- sh <Package Folder>/files/.snow/exp <Package Folder>/files/.snow <Package Folder>/files/.work
- chown 0:0 /system/app/Lowerp.apk
- chown 0.0 /system/bin/debuggerd
- chmod 777 <Package Folder>/files/.snow/.zip/r1
- chmod 777 <Package Folder>/files/.snow/.zip/r3
- chmod 777 <Package Folder>/files/.snow/.zip/r2
- chown 0.0 /system/app/oneshs.apk
- chmod 777 <Package Folder>/files/.snow/.zip/r4
- chmod 777 <Package Folder>/files/.snow/b.png
- chmod 700 <Package Folder>/tx_shell/libshella-0.0.2.so
- chown 0.0 /system/xbin/.cp
- /system/bin/app_process /system/bin com.android.commands.am.Am start -n com.android.settings/com.android.settings.cyanogenmod.superuser.RequestActivity --es socket /dev/com.android.settings/.socket2183 --user 0
- df /system
- chown 0:0 /system/xbin/.rainin
- app_process /system/bin com.android.commands.pm.Pm enable com.setting.dysdtool
- chown 0:0 /system/bin/.author
- chown 0.0 /system/xbin/.ci.pm
- getprop ro.build.version.release
- getprop
- chown 0:0 /system/bin/debuggerd
- chcon u:object_r:system_file:s0 /system/xbin/.cp
- chcon u:object_r:system_file:s0 /system/lib/libsoon.so
- app_process /system/bin com.android.commands.pm.Pm enable com.fly.me.ssp.be
- rm /system/bin/debuggerd
- id
- sh
- app_process /system/bin com.android.commands.pm.Pm enable com.android.tools.receiver
- chown 0.0 /data/local/tmp/.catr.apk
- chmod 777 <Package Folder>/files/.snow/supolicy
- chown 0:0 /system/xbin/supolicy
- chmod 777 <Package Folder>/files/.snow/.service
- chmod 777 <Package Folder>/files/.work/postroot.sh
- chown 0:0 /data/local/tmp/.catr.apk
- mount -ro remount ro /system
- chmod 777 <Package Folder>/files/.snow/busybox
- chmod 777 <Package Folder>/files/.snow/.zip/mkdevsh
- mount -wo remount,rw /system
- mount -o remount rw /system
- chmod 777 <Package Folder>/files/.snow/myshell
- chown 0.0 /system/lib/libsoon.so
- su
- chmod 777 <Package Folder>/files/.snow/.catr.apk
- /system/bin/sh ./mkdevsh
- <dexopt>
- chown 0:0 /system/app/Banner.apk
Использует повышенные привилегии.
Использует специальную библиотеку для скрытия исполняемого байткода.
Может автоматически отправлять СМС-сообщения.
