Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Mixi.16.origin
Сетевая активность:
Подключается к:
- s####.####.com
- g####.####.com
- 6####.####.117
- i####.####.com
- o####.####.com
- s####.####.cn
- p####.####.com
- d####.####.com
- api####.####.com
- 1####.####.225
- m####.####.com
- a####.####.com
- b####.####.com
Запросы HTTP GET:
- s####.####.com/site/download/app/pl/news_article/112/ss_plugin_config.js...
- s####.####.com/toutiao/resource/media-profile/static/styles/media/media_...
- 6####.####.117/collect?t=####&tid=####&cid=####&gid=####&v=####&cav=####...
- i####.####.com/promotion/app/lt/?ac=####&channel=####&aid=####&app_name=...
- s####.####.com/toutiao/resource/media-profile/static/images/media/new_mo...
- s####.####.com/2/user/info/?ac=####&channel=####&aid=####&app_name=####&...
- s####.####.com/toutiao/resource/tt_search/page/concern/swipe_3dffcb3.js
- s####.####.com/toutiao/resource/media-profile/static/images/media/loadin...
- s####.####.com/toutiao/resource/tt_search/static/js/lib/common_f64cdb7.js
- s####.####.com/site/download/app/apk/news_article/app_replaceable_images...
- s####.####.com/cr/sdk/170417/des_V17041703Aj1so32.zip
- s####.####.com/toutiao/resource/media-profile/static/scripts/media/media...
- s####.####.com/site/app_web_article_online_updates/android_78_9f31415947...
- s####.####.com/large/1011/6063208041
- s####.####.cn/ta/resource/v0/analytics.js?v=####
- s####.####.com/thumb/22b40006aa1496ef8ac8
- s####.####.com/medium/4306/2602403105
- s####.####.com/toutiao/resource/media-profile/static/images/media/defaul...
- s####.####.com/large/1392/6409633704
- s####.####.com/large/3658/7378365093
- s####.####.com/site/download/plugin_patch/plugin/c346702aec1b91fbbc081bf...
- s####.####.com/thumb/4306/2602403105
- s####.####.com/thumb/96a00278d7bf9c57bb2
- s####.####.com/large/3242/3641311082
- s####.####.com/toutiao/resource/media-profile/static/images/media/u1_pla...
- s####.####.com/toutiao/resource/tt_search/page/concern/concern_bd53e6b.js
- g####.####.com/cr/sv/getGoFile?name=####
- i####.####.com/api/news/feed/v50/?category=####&refer=####&count=####&li...
- i####.####.com/entry/list/v1/?iid=####&device_id=####&ac=####&channel=##...
- s####.####.com/origin/bc30011684fa86d4b71
- p####.####.com/video1609/22c900011438887e5c65
- s####.####.com/inapp/log/combine.js
- p####.####.com/thumb/22370007e834f4aa23ef
- s####.####.com/toutiao/resource/media-profile/static/images/media/newtou...
- s####.####.com/toutiao/resource/media-profile/static/images/media/commen...
- s####.####.com/inapp/TTAdblock.css
- p####.####.com/large/6cb0003068f5da06941
- i####.####.com/user/tab/tabs/?ac=####&channel=####&aid=####&app_name=###...
- s####.####.com/large/4120015a143b8e04d88
- p####.####.com/thumb/22370007be2cb1afdb30
- p####.####.com/large/1dcd0002ad7052805d1c
- i####.####.com/2/user/profile/v3/?media_id=####&to_html=####&source=####...
- s####.####.com/feedback/2/list/?appkey=####&count=####&ac=####&channel=#...
- s####.####.com/large/10874/6434619675
- s####.####.com/toutiao/resource/media-profile/static/images/media/All_ne...
- s####.####.com/article/content/15/1/6423209317406736642/6423211141488443...
- s####.####.com/inapp/toutiao.js
- s####.####.com/toutiao/tt_tps/static/scripts/psetting.js?_t=####
- m####.####.com/monitor/appmonitor/v2/settings?iid=####&device_id=####&ac...
- s####.####.com/site/download/app/hijack/108/black_list_20170331.json?iid...
- s####.####.com/__utm.gif?startedon=####&method=####&url=####&completedon...
- s####.####.com/service/2/app_notify/?allow_notify=####&leave_time=####&i...
- p####.####.com/large/97d001bf3f3cba72913
- s####.####.com/thumb/3658/7378365093
- i####.####.com/search/suggest/homepage_suggest/?ac=####&channel=####&aid...
- s####.####.com/large/4306/2602403105
- m####.####.com/monitor/settings/?ac=####&channel=####&aid=####&app_name=...
- p####.####.com/large/1544/8486448112
- p####.####.com/origin/2177000311f554b60aea
- g####.####.com/cr/sv/getRecord?eids=####&appKey=####&flag=####
- p####.####.com/large/bc20000b91968707dab
- s####.####.com/toutiao/resource/media-profile/static/images/media/down_r...
- s####.####.com/large/150c0002ddeb1547e329
- s####.####.com/toutiao/resource/media-profile/static/images/media/all_ne...
- s####.####.com/cr/sdk/170417/goplaysdk_statistics_all_1704171.dat
- s####.####.com/toutiao/resource/tt_search/page/concern/concern_e64197c.png
- s####.####.com/toutiao/resource/media-profile/static/images/media/repost...
- s####.####.com/service/2/app_alert/?has_market=####&lang=####&carrier=##...
- i####.####.com/2/article/hot_words/?ac=####&channel=####&aid=####&app_na...
- s####.####.com/large/2330/5877770091
- d####.####.com/get_domains/v4/?ac=####&channel=####&aid=####&app_name=##...
- i####.####.com/concern/v2/follow/list/?plugin_info=####&iid=####&device_...
- s####.####.com/site/promotion/misc/whitelist.json?v=####&iid=####&device...
- b####.####.com/app/config?os=####&key=####&sdkv=####
- i####.####.com/follow/update/tips/?update_time=####&update_version=####&...
- s####.####.com/toutiao/resource/media-profile/static/images/media/white_...
- p####.####.com/large/18a400112cb3ea178df2
- s####.####.com/video1609/213c00053d8ea77a2fa9
- s####.####.com/inapp/TTAdblock.js?__v=####
- s####.####.com/large/5200/4434387833
- i####.####.com/dongtai/list/v10/?user_id=####&api_version=####&device_id...
- s####.####.com/toutiao/resource/media-profile/static/images/media/digup_...
- s####.####.com/toutiao/resource/media-profile/static/scripts/lib/zepto_c...
- i####.####.com/push/get_service_addrs/?iid=####&device_id=####&ac=####&c...
- i####.####.com/2/article/city/?ac=####&channel=####&aid=####&app_name=##...
- s####.####.com/article/content/15/1/6423126557249765890/6423150897857036...
- i####.####.com/user/tab/tabs/?iid=####&device_id=####&ac=####&channel=##...
- s####.####.com/toutiao/resource/tt_search/static/js/lib/zepto-1.1.6.min_...
- p####.####.com/thumb/20860011ac64fa23b4ec
- i####.####.com/service/1/app_activity/?view_cursor=####&ac=####&channel=...
- i####.####.com/video_api/get_category/v1/?iid=####&device_id=####&ac=###...
- i####.####.com/entry/subscription_list/v1/?req_type=####&ac=####&channel...
- s####.####.com/__utm.gif?screen=####&dpr=####&net_type=####&iframes=####...
Запросы HTTP POST:
- i####.####.com/api/ad/comment/v1/?ac=####&channel=####&aid=####&app_name...
- api####.####.com/v3/log/init
- g####.####.com/cr/sv/getEPList
- i####.####.com/service/2/app_log_config/?iid=####&device_id=####&ac=####...
- i####.####.com/service/14/app_ad/?_unused=####&carrier=####&mcc_mnc=####...
- i####.####.com/article/category/sort/v1/?ac=####&channel=####&aid=####&a...
- o####.####.com/v2/check_config_update
- i####.####.com/service/1/collect_settings/?ac=####&channel=####&aid=####...
- o####.####.com/v2/get_update_time
- i####.####.com/service/1/z_app_stats/?iid=####&device_id=####&ac=####&ch...
- i####.####.com/api/news/feed/v50/?ac=####&channel=####&aid=####&app_name...
- i####.####.com/service/1/refresh_ad/?ac=####&channel=####&aid=####&app_n...
- i####.####.com/article/category/get_subscribed/v1/?ac=####&channel=####&...
- a####.####.com/app_logs
- 1####.####.225/dreport
- i####.####.com/api/ad/share/v1/?ac=####&channel=####&aid=####&app_name=#...
- s####.####.com/service/2/app_log_config/?ac=####&channel=####&aid=####&a...
- d####.####.com/xs.gif?k=####&iv=####&c=####&dm=####&ac=####&s=####
- i####.####.com/location/suloin/?ac=####&channel=####&aid=####&app_name=#...
- i####.####.com/service/1/collect_settings/?iid=####&device_id=####&ac=##...
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/XmSmLockFile.txt
- <Package Folder>/databases/MessageStore.db-journal
- <Package Folder>/ReadyHost.txt
- <Package Folder>/databases/MsgLogStore.db-journal
- <Package Folder>/app_file_dex/MasterControl.jar
Другие:
Запускает следующие shell-скрипты:
- sh <Package Folder>/lib/libsupervisor.so <Package> com.ss.android.message.NotifyService <Package>:push <Package Folder> 0
- getenforce
- sh -c rm <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- chmod 0771 <Package Folder>/.syslib-
- getprop persist.vivo.multiwindow
- getprop persist.vivo.multiwindow_active
- /data/data/####/lib/libsupervisor.so #### com.ss.android.message.NotifyService ####:push /data/data/#### 0
- sh -c rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- rm -f <Package Folder>/files/hftJcw46N.jar
- rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- rm -f <Package Folder>/files/hftJcw46N.dex
- /data/data/####/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h c48756b39e9e402ca3e1026d88799eaa /data/data/####/.syslib-
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- sh -c rm -f <Package Folder>/files/hftJcw46N.jar > /dev/null 2>&1
- chmod 0771 /data/data/####/.syslib-
- sh <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s -h c48756b39e9e402ca3e1026d88799eaa <Package Folder>/.syslib-
- rm <Package Folder>/files/hftJcw46N.jar
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s
- sh -c rm <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- rm <Package Folder>/files/hftJcw46N.dex
- <error:2>
- sh -c /system/usr/toolbox rm -f <Package Folder>/files/us.908GhK3z1XIE6J7u3B4nRKlfEI88s > /dev/null 2>&1
- sh -c rm <Package Folder>/files/hftJcw46N.dex > /dev/null 2>&1
- getprop ro.build.version.emui
- <dexopt>
Может автоматически отправлять СМС-сообщения.
