Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.433.origin
- Android.DownLoader.552.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Backdoor.433.origin
- Android.DownLoader.552.origin
Сетевая активность:
Подключается к:
- t####.####.com
- v####.####.com
- 1####.####.189:9090
- panda####.####.com
- p####.####.com
- r####.####.com
- c####.####.com
- a####.####.cn
- p####.####.cn
- t####.####.cn
- c####.####.cn
Запросы HTTP GET:
- c####.####.cn/timg?v####&size=####&quality=####&imgtype=####&e####&sec=#...
- t####.####.cn/ggjc/update/20131204/af65d53c190ab1cdddcfdecf09f70f25-2013...
- p####.####.cn/gdt/0/DAAAHWeAUAALQAAyBZAbMrAuJDcEsJ.jpg/0?ck=####
- t####.####.com/dxbb/checkmissdb?mdbv=####&cv=####&model=####&is=####&sig...
- panda####.####.com/soft/download.aspx?Identifier=####&sp=####&mt=####&tf...
- v####.####.com/gdt_stats.fcg?count=####&viewid0=####
- r####.####.com/rbreszy/theme/tpbapp/2017/04/14/24b9ed3d08fc4dbda67120965...
- panda####.####.com/commonuse/clientconfig.ashx?cname=####&ver=####
- c####.####.com/s?v####
- p####.####.cn/gdt/0/DAAM4rWAUAALQABDBY90SeBvp4j5ht.jpg/0?ck=####
- 1####.####.189:9090/ad2016/ad/getAdconfnew
- p####.####.cn/gdt/0/DAAM4rWAUAALQABWBYzS6mBgN5hadM.jpg/0?ck=####
- p####.####.cn/gdt/0/DAAPSWkAUAALQABaBZL4PeDPNt1IVR.jpg/0?ck=####
- p####.####.cn/gdt/0/DAAAHWeAUAALQAA_BZAGlsDIfJXVEO.jpg/0?ck=####
- t####.####.com/cu?model=####&is=####&signmd5=####&op=####&vendor=####&lo...
- t####.####.com/dxbb/2.0/user?model=####&is=####&signmd5=####&op=####&ven...
- a####.####.cn/v2/forward/imp/ch/42?version=####&sspaid=####&sid=####&gui...
- p####.####.com/c/1496213119078
- t####.####.cn/ggjc/update/20170504/758b466441984aad58a984f36b42c183-2017...
Запросы HTTP POST:
- p####.####.com/t/1496213151017
- t####.####.com/api/tokens?tk=####&sv=####
- panda####.####.com/api2.ashx
- p####.####.com/t/1496213146170
- p####.####.com/t/1496213127031
- p####.####.com/t/1496213132057
- panda####.####.com/action.ashx/distributeaction/5036
- p####.####.com/t/1496213122766
- p####.####.com/t/1496213139331
- p####.####.com/t/1496213133016
- p####.####.com/t/1496213149527
- p####.####.com/t/1496213138407
- p####.####.com/t/1496213128616
- p####.####.com/t/1496213145236
- t####.####.com/checkRG.php
- p####.####.com/p/1496213119358
- t####.####.com/api/data?token=####&tk=####&sv=####
- p####.####.com/s/
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/files/channel.ini
- <Package Folder>/files/antispam_update/antispam_profiles.db
- <Package Folder>/databases/z-journal
- <Package Folder>/databases/sk-journal
- <Package Folder>/databases/ndcontacts_plugin.db-journal
- <Package Folder>/shared_prefs/antispam_settings.xml
- <Package Folder>/databases/myphone.db-journal
- <Package Folder>/shared_prefs/h.xml
- <Package Folder>/databases/91analytics_v4.db-journal
- <Package Folder>/databases/al_events.db-journal
- <Package Folder>/shared_prefs/ye_db_configs.xml
- <Package Folder>/shared_prefs/SP_CACHE.xml
- <Package Folder>/shared_prefs/rt.xml
- <Package Folder>/databases/91analytics_v4.db
- <Package Folder>/app_ye_download/db_antispam_profiles
- <Package Folder>/databases/d
- <Package Folder>/files/achieve_info
- <Package Folder>/databases/i
- <Package Folder>/files/ye_antispam/ye_model.db
- <Package Folder>/shared_prefs/SP_ShareData.xml
- <Package Folder>/shared_prefs/ye_db_configs.xml.bak
- <Package Folder>/shared_prefs/i.xml
- <Package Folder>/databases/z
- <Package Folder>/databases/sk
- <Package Folder>/shared_prefs/ad_check_dx.xml
- <Package Folder>/shared_prefs/91Analytics_Config.xml.bak
- <Package Folder>/databases/ndcontacts.db
- <Package Folder>/shared_prefs/91Analytics_Relay_Session.xml
- <Package Folder>/databases/d-journal
- <Package Folder>/databases/ndcontact_interceptor.db-journal
- <Package Folder>/cache/timg?vsapp&size=b800_800&quality=100&imgtype=3&er&sec=0&di=fb20ce56177cda5f8eb5a96a2b23cc9b&ref=http%3A%2F%2Fd.hiphotos.bdimg.com&src=http%3A%2F%2Fd.hiphotos.bdimg.com%2Fwisegame%2Fpic%2Fitem%2F604f78f0f736afc35aa26306b919ebc4b7451222.jpg
- <Package Folder>/databases/myphone.db
- <Package Folder>/files/licidl
- <Package Folder>/shared_prefs/newDotData.xml
- <Package Folder>/shared_prefs/adsdk.xml
- <Package Folder>/databases/ndcontacts.db-journal
- <Package Folder>/shared_prefs/91Analytics_Config.xml
- <Package Folder>/databases/commonnumber1.2
- <Package Folder>/shared_prefs/rg_sp_cache.xml.bak
- <Package Folder>/databases/commonnumber1.2-journal
- <Package Folder>/shared_prefs/rg_sp_cache.xml
- <Package Folder>/databases/antispam.db-journal
- <Package Folder>/app_ushbwf/50E75C76140ACCF755AB6D12F6805C1E.jar.tmp
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/shared_prefs/newDotDateVersion.xml
- <Package Folder>/shared_prefs/utils.xml
- <Package Folder>/shared_prefs/SP_CACHE.xml.bak
- <Package Folder>/shared_prefs/first_pref.xml
- <Package Folder>/shared_prefs/antispam_settings.xml.bak
- <Package Folder>/shared_prefs/adsdk.xml.bak
- <Package Folder>/shared_prefs/d.xml
- <Package Folder>/databases/i-journal
- <Package Folder>/shared_prefs/LocalService.xml
- <Package Folder>/app_ye_download/db_antispam_keywords
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/block/mmcblk1/device/cid
- /system/bin/cat /sys/block/mmcblk2/device/cid
- /system/bin/cat /sys/block/mmcblk0/device/cid
- /system/bin/cat /sys/block/mmcblk3/device/cid
- /system/bin/cat /proc/meminfo
- <dexopt>
Может автоматически отправлять СМС-сообщения.
