Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.226.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.226.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- and####.####.com
- and####.####.com:8077
Запросы HTTP POST:
- 6####.####.140/ando/v1/x/ap?app_id=####&r=####
- and####.####.com/record-plat/record/upload.do
- and####.####.com:8077/record-plat/seq/query.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_workbench09968/apk.zip
- <Package Folder>/app_workbench15494/apk.zip
- <Package Folder>/app_workbench65454/apk.zip
- <Package Folder>/app_workbench70980/apk.zip
- <Package Folder>/app_workbench87704/apk.zip
- <Package Folder>/app_workbench93230/apk.zip
- <Package Folder>/code-7101125/####/tzS4qUFLIArFqG4r.jar
- <Package Folder>/code-7101125/g7T7o2iWiidUYhjt
- <Package Folder>/databases/Data_sync.db-journal
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_6h_IuShAGECLC-DNFSp_IfZd1Js=
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_6h_IuShAGECLC-DNFSp_IfZd1Js=-journal
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_C8uPvyOZenzH2arN
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_C8uPvyOZenzH2arN-journal
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_RB1Ihq1ktkskw43JpOZwTg==
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_RB1Ihq1ktkskw43JpOZwTg==-journal
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_vNGFJ5bvPKE=-journal
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_zoTqY8bIr2GWSK2UKbrUeQ==
- <Package Folder>/databases/YYmGQx1jDI1jJzqZPBZDyFp65dt_3adt_zoTqY8bIr2GWSK2UKbrUeQ==-journal
- <Package Folder>/files/####/-Br4Zc-Dekd-vehdjP2Kk7rCPr8=
- <Package Folder>/files/####/-Br4Zc-Dekd-vehdjP2Kk7rCPr8=.new
- <Package Folder>/files/####/2o_WCBFGwE0DIPKDtraPnQ==.new
- <Package Folder>/files/####/350FNx-ldaoUNQ8WmnBEAtFenSoAoxtS.new
- <Package Folder>/files/####/3iozP77vqPrhiYMb0vtwATyex0pEXnhK.new
- <Package Folder>/files/####/B5BLqJU7xYRNTtP6elwEDKaHFGHs1MWr.new
- <Package Folder>/files/####/DknAjfZaUC8-s2_vbI_wCA==
- <Package Folder>/files/####/ETJTnGXsMq28AZ3-X-huwiJwZ8POJgkO8Cu8jA==.new
- <Package Folder>/files/####/El-VJLetQWjbH7pHCcyHm4XyCSQ=
- <Package Folder>/files/####/GGwaGUG_I6OESzs5Edz4YQ==
- <Package Folder>/files/####/GGwaGUG_I6OESzs5Edz4YQ==.new
- <Package Folder>/files/####/KASBmvj3IytkgdQ9qqJzq6m0tL3g-y_a.new
- <Package Folder>/files/####/KSM5l44ntfPCwN_F60r2MA==
- <Package Folder>/files/####/MQ_5sScTyKOpyKVAdjU5aJRWcgY=.new
- <Package Folder>/files/####/Pcw3IQHbJRba8Qp2i3XJ-grsWntpCZLN.new
- <Package Folder>/files/####/Si39uCNhXj72JbNx8-CHai1a7X9dfgmeH5iB8Ye2nzc=.new
- <Package Folder>/files/####/Xcj49TMjfvadySTZ_9E7hNuZpn1k5gczW-68nw==.new
- <Package Folder>/files/####/aT9TAX5vlB22QbdiNSlPyoZfrNIt8xIe.new
- <Package Folder>/files/####/ajn6YyAjrne81HRjbSZgKA==.new
- <Package Folder>/files/####/dyMqVfAyO6uilkjm.new
- <Package Folder>/files/####/iYqAbvCVH4th4-SefWR8c5Jhlko=
- <Package Folder>/files/####/iYqAbvCVH4th4-SefWR8c5Jhlko=.new
- <Package Folder>/files/####/nrYzmGbWJG_O-D5Lb9jjcg2v8ybgIVG0.new
- <Package Folder>/files/####/nt2k78OGq9rY1ol6
- <Package Folder>/files/####/o3wbCliToA70usO3ar0IwH73BHLXl0oJzH1xiWIdNHM=.new
- <Package Folder>/files/####/oLqAWD76YvcYjsfc83LVxXhzgZo=
- <Package Folder>/files/####/oLqAWD76YvcYjsfc83LVxXhzgZo=.new
- <Package Folder>/files/####/qepvq_f.zip
- <Package Folder>/files/####/rYTntpMXHs6DVOrtIusMryVlBDA2gjuM
- <Package Folder>/files/####/rYTntpMXHs6DVOrtIusMryVlBDA2gjuM.new
- <Package Folder>/files/####/rYTntpMXHs6DVOrtIusMryVlBDA2gjuM.old (deleted)
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sKyJUpOhwa8KZOUcAR0F15KkMJwvPz-6gjTZewxfOqY=.new
- <Package Folder>/files/####/tHMhdM0a-AKOv3TLyTwmqcOw9V3pUxZ5NNZ7jA==.new
- <Package Folder>/files/####/uq_T6kFFyJiu2g-ViY9YX8Hlo9OWOq21JvxV0aZh5pA=.new
- <Package Folder>/files/####/wpUVLQMiH_lyjixZ.zip
- <Package Folder>/files/####/xGcMSbI5IC96gLGxbzV9CDTLKgE=.new
- <Package Folder>/files/com.dyl.pay.ui.apk
- <Package Folder>/files/libabc
- <Package Folder>/files/rdata_comewqrasdj
- <Package Folder>/files/rdata_comewqrasdj.new
- <Package Folder>/shared_prefs/plugin_record_app_info.xml
- <Package Folder>/shared_prefs/pref_recomm.xml
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.tpservice/####/qsha_80001_5096.jar
- <SD-Card>/.twservice/qshp_3003_2272.zip
- <SD-Card>/Android/####/com.skymobi.pay.plugin.main.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.recordupload.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.smspay.data
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.jfkd.pt.one/code-7101125/g7T7o2iWiidUYhjt -p com.jfkd.pt.one -c com.ewqr.asdj.wgqva.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-7101125/g7T7o2iWiidUYhjt -p <Package> -c com.ewqr.asdj.wgqva.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
