Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.178
- Android.Triada.155.origin
Отправляет данные получаемых СМС-сообщений на удалённый хост.
Сетевая активность:
Подключается к:
- huangda####.com
- 1####.####.34:19000
- i####.####.com
- 1####.####.57:10001
- c####.####.com
- a####.####.com
Запросы HTTP GET:
- i####.####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/0...
- i####.####.com/ando-res/m/fUuctJnkGSxsEOC6TaFXT4moCtSmKHc5drsBHRgzJD7z6Q...
- i####.####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/3...
- a####.####.com/ando/i/mon?k=####&d=####
- 1####.####.57:10001/v1/order/get?phone=####&imei=####&sdk_version=####&c...
- i####.####.com/ando-res/m/hQFsvuTOjQG2grLU8T2VCshw4jkuJadBny-GDQ
- i####.####.com/ando-res/ads/4/5/d73ab4a4-4c75-43a7-a3c9-5bdabd9437c8/6ae...
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- c####.####.com/json/1061_block.json
- i####.####.com/ando-res/ads/13/23/bc4dd2ed-0d19-49bd-ad99-f8d032103d54/8...
- i####.####.com/ando-res/ads/4/5/d73ab4a4-4c75-43a7-a3c9-5bdabd9437c8/d26...
- huangda####.com/active!activeLog.action?provider=####&clickId=####&manu=...
Запросы HTTP POST:
- 1####.####.34:19000/v2/chis
- huangda####.com/shop/shop_upload_log
- a####.####.com/ando/x/req?app_id=####&r=####
- a####.####.com/ando/x/liv?app_id=f3208725-7012-4a02-b200-5313e98d60a0&r=...
- a####.####.com/ando/x/lis?app_id=####&r=####
- huangda####.com/mobilepay/v2/getPayInfoListX2.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/7fb05a25-1279-44f0-a3c0-5c63447c0332.res.temp
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/SvfZ9agPvJGSBbcXkLYlsQ==/dj2U6olmE1zE1KItWNkWzKnhbKHJYWL7
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/FqRwnLZzgFhAFixUIwOzsH5sGms=.new
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/bL3Y1-koAQ8pyJ_1jLFKAg==.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/DfhrrCfCrdHM1dKTcXQe3SKXv5Ema2si.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/7TPKSyPjUP3eU_tk-dYtd1qknDGhBrvX4zSm3z5Cu1o=.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/hdrqbSsFtU8Qd8I1y12ec3FkD2_24RCN.new
- <Package Folder>/databases/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_24qRbqiSsGC969kvNB2HTA==-journal
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/0c529d61-7991-4057-9d02-d7ab4dc52667.res.temp
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/EVQHYARrXC4iYiY_iNV0I8oP1LH2HDr9.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/Pphc_PGsiMyt92uGAF-iMb6ya5jwWMrx6AWyBA==.new
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/X4Xs00txFbbzCmSM.new
- <Package Folder>/databases/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_eYD5nP7YKfVtCnJuO7BmP7FtngY=-journal
- <Package Folder>/code-1401270/TiZu-PrtFspL0IXU
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/09LkY2nFz-ufMEWx/mu3h9jbT_L7g3JzI9siXuN8a54M3uj1a0WiVCA==
- <Package Folder>/EOZTzhVG.jar
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/zNBBmHHNqVfT0kqLgMygw13qwgH5mBtM.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/3e60fac9-a91a-42cb-ac53-f820df5c0169.res.temp
- <Package Folder>/files/q-6vQTfMWjf91wsxDJ0btw==/3ddaqg9j9FHEIt9TaX-bfTmBboU=
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/CtHKGNsBz0JaeUdpZJOMXA==.new
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/9wO0c1ShY-Jx9Ag3HT0M9Q==/uJExllZUjWbCdxdw
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/d34d38a0-a19c-4b88-91bb-1ee6a1252285.res.temp
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/9b63215d-1271-438c-9d64-48b490fef0ac.res.temp
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/26uBBzMdOaWgKkaiABJvNvTgstg=.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/w2GsAEIlmvdcBYAyI0EyyfTO9hk=.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/SvfZ9agPvJGSBbcXkLYlsQ==/dj2U6olmE1zE1KItWNkWzKnhbKHJYWL7.new
- <Package Folder>/databases/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_xPQ0_DguvBMsA_VL-journal
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/i2MRhaJH7eZMsvOgJ7d8wAINyTPjcqbg8j7JGId6clc=.new
- <Package Folder>/cache/webviewCacheChromium/index
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/ce202bfd-ca51-450c-90bb-100e21bef0f7.res.temp
- <Package Folder>/files/sbcnua_d/sbcnua_f.zip
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/IoHEHJGrA1ZGlQJMauwq7w==.new
- <Package Folder>/databases/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_eYD5nP7YKfVtCnJuO7BmP7FtngY=
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/isxvK5r9iIGG1biKTKiYHg==/data.dat.tmp
- <Package Folder>/databases/cc/cc.db-journal
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/-9cpx3fpphR5qEKo/X4Xs00txFbbzCmSM.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/J_yEJ7qH0XV0bwrnAb6Poqn4-Nk=.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/Bni2UFD1PmMQp5C9/QoPvUwPYupWyRG3eqHCc2n27YkQHO9QEdQL8V4gEFgA=
- <Package Folder>/files/.libs/libus.so
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/Ay4g8iVYP2V0UHJO182Kffj5rv0=.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/0A29pNkCwjTFBSlQincMAFH8jdMaetoaZtaa2g==.new
- <Package Folder>/shared_prefs/zzconfig.xml
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/AC2DQR0JjS2KzXlqslpeVA==.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/ob3z-Lznk3M7OI1M1OYsX6C9VsgNH9Eu.new
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/38cadf79-793e-417b-a24e-077971581709.res.temp
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/Ay4g8iVYP2V0UHJO182Kffj5rv0=
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/07668264-4f4b-44aa-8ad2-81e93acc4412.res.temp
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_x8kPq5lp8F45IaGh_app/lnA_3MSfPC3UiwsK62mTsg==/Yw3v1saWpu9XSHUI8jHSbCpaYJkesGI_.new
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_xPQ0_DguvBMsA_VL
- <Package Folder>/databases/cc/cc.db
- <Package Folder>/shared_prefs/twj.xml
- <Package Folder>/databases/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_lHFo6DJhoh2ivODY-journal
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/8K9HYNQDXG8hO5cv2FPHZd03uTOtCjOq.new
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/r9hHWkJCxOKztN2ukbb-3w==/runner_info.prop
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/VI3Tdb_mYPYYYnzG/TvCJMfyF85goUp1B/697a2760-19b7-4671-828b-c32bf20d1a18.res.temp
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/9wO0c1ShY-Jx9Ag3HT0M9Q==/jUR3FbbaB0JwPcLPDbMH1A==
- <Package Folder>/files/7p8RjbPZdRtJoLuRhuY6v05gZOSFlp9z/_VhB1ELGhfcBKzV4B_K-4Q==/a5rHLmz0TBnbhCT7.zip
- <Package Folder>/files/KbkgltqyxzLe-d_tKL2EOsFPgDOxY-V6_files/lnA_3MSfPC3UiwsK62mTsg==/tUAFnmiteUBGxoedXtdWBH-iO7N3OD2C8BETsA==.new
- <Package Folder>/cache/webviewCacheChromium/data_3
- <Package Folder>/cache/webviewCacheChromium/data_2
- <Package Folder>/cache/webviewCacheChromium/data_1
- <Package Folder>/cache/webviewCacheChromium/data_0
Другие:
Запускает следующие shell-скрипты:
- sh <Package Folder>/code-1401270/TiZu-PrtFspL0IXU <Package> com.hoxq.lpve.uwisuq.a.a.c.b /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M /storage/emulated/0/Download/ladung
- <dexopt>
- /data/data/####/code-1401270/TiZu-PrtFspL0IXU #### com.hoxq.lpve.uwisuq.a.a.c.b /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M /storage/emulated/0/Download/ladung
Может автоматически отправлять СМС-сообщения.
