Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Backdoor.333.origin
- Android.DownLoader.286.origin
- Android.Triada.74.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Backdoor.333.origin
- Android.DownLoader.286.origin
- Android.Triada.74.origin
Сетевая активность:
Подключается к:
- a####.####.com
- a####.####.net
- al####.####.com
- bcdnup####.####.com
- c####.####.com
- c####.####.net
- d####.####.com
- e####.####.com
- hasm####.com
- hostwe####.com
- hostwe####.com:8080
- i####.####.cn
- i####.####.com
- i####.####.to
- inter####.####.com
- ip####.io
- k####.####.com
- n####.####.com
- o####.####.com
- p####.####.com
- p####.####.com:8080
- pag####.####.com
- s####.####.com
- web####.####.com
- x####.com
- z####.####.com
Запросы HTTP GET:
- a####.####.com/static/img/Social.png
- a####.####.net/affiliate/static/css/webview/bannerlistads.css
- a####.####.net/avazustrap/styles/avazu-font-icons.css
- al####.####.com/ym_jar
- bcdnup####.####.com/image/5923a0b489dd3.png
- c####.####.com/9.gif?abc=####&rnd=####
- c####.####.com/core.php?web_id=####&t=####
- c####.####.net/images/201702/052/6cb59d6b4be2cf7f7df94b835393b0cb_100x10...
- d####.####.com/ad.png
- e####.####.com/static/mv/images/share_icon.png
- hasm####.com/?ac=####
- i####.####.cn/iplookup/iplookup.php?format=####&ip=####
- i####.####.com/service/getIpInfo2.php?ip=####
- i####.####.to/album/2016/12/26/c99fb3d15a8bf1e9a055e8b4234f3243-04e94528...
- ip####.io/json
- k####.####.com/download/opbenginemd//2027.dat
- n####.####.com/public/upload/5b/f0/5bf0266e13adbc1dce4d29fd2a6faac9_100_...
- p####.####.com/imp?id=####
- pag####.####.com/pagead/js/r20170614/r20170110/show_ads_impl.js
- s####.####.com/z_stat.php?id=####
- web####.####.com/affiliate/static/js/avazuwebviewsdk.min.js?v=####
- web####.####.com/webview/detectads.php?width=####&height=####&sourceid=#...
- z####.####.com/stat.htm?id=####&r=####&lg=####&ntime=####&cnzz_eid=####&...
Запросы HTTP POST:
- a####.####.com/app_logs
- a####.####.com/zoomy-advert/inter/getHeartbeatInfo.shtml
- hostwe####.com/dispatcher.php
- hostwe####.com:8080/dispatcher.php
- inter####.####.com/newservice/newjsApk.action
- o####.####.com/v2/get_update_time
- p####.####.com/OpaService/OpaReport
- p####.####.com:8080/OpaService/OpaStrategy
- x####.com/db.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.lib/libexec.so
- <Package Folder>/.lib/libexecmain.so
- <Package Folder>/app_sgdex/dos.jar
- <Package Folder>/app_xxx/chattr
- <Package Folder>/app_xxx/configopb
- <Package Folder>/app_xxx/install
- <Package Folder>/app_xxx/install-co
- <Package Folder>/app_xxx/install-recovery-co.sh
- <Package Folder>/app_xxx/install-recovery.sh
- <Package Folder>/app_xxx/libxapp.so
- <Package Folder>/app_xxx/sr
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/f_000001
- <Package Folder>/cache/####/f_000002
- <Package Folder>/cache/####/f_000003
- <Package Folder>/cache/####/f_000004
- <Package Folder>/cache/####/f_000005
- <Package Folder>/cache/####/f_000006
- <Package Folder>/cache/####/f_000007
- <Package Folder>/cache/####/f_000008
- <Package Folder>/cache/####/f_000009
- <Package Folder>/cache/####/f_00000a
- <Package Folder>/cache/####/f_00000b
- <Package Folder>/cache/####/f_00000c
- <Package Folder>/cache/####/f_00000d
- <Package Folder>/cache/####/f_00000e
- <Package Folder>/cache/####/f_00000f
- <Package Folder>/cache/####/f_000010
- <Package Folder>/cache/####/f_000011
- <Package Folder>/cache/####/f_000012
- <Package Folder>/cache/####/f_000013
- <Package Folder>/cache/####/f_000014
- <Package Folder>/cache/####/f_000015
- <Package Folder>/cache/####/f_000016
- <Package Folder>/cache/####/f_000017
- <Package Folder>/cache/####/f_000018
- <Package Folder>/cache/####/f_000019
- <Package Folder>/cache/####/f_00001a
- <Package Folder>/cache/####/f_00001b
- <Package Folder>/cache/####/f_00001c
- <Package Folder>/cache/####/f_00001d
- <Package Folder>/cache/####/f_00001e
- <Package Folder>/cache/####/f_00001f
- <Package Folder>/cache/####/f_000020
- <Package Folder>/cache/####/f_000021
- <Package Folder>/cache/####/f_000022
- <Package Folder>/cache/####/f_000023
- <Package Folder>/cache/####/f_000024
- <Package Folder>/cache/####/f_000025
- <Package Folder>/cache/####/index
- <Package Folder>/databases/StaticDataC.dataBase-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/.hrgiaockce.so (deleted)
- <Package Folder>/files/####/.psns
- <Package Folder>/files/####/.raohu6rcx4m2emr.so
- <Package Folder>/files/####/.root
- <Package Folder>/files/####/0d.zip (deleted)
- <Package Folder>/files/####/2025.dat.tmp
- <Package Folder>/files/####/2025.zip
- <Package Folder>/files/####/2026.dat.tmp
- <Package Folder>/files/####/2026.zip
- <Package Folder>/files/####/2027.dat
- <Package Folder>/files/####/2027.dat.tmp
- <Package Folder>/files/####/2027.zip
- <Package Folder>/files/####/2029.dat
- <Package Folder>/files/####/2029.dat.tmp
- <Package Folder>/files/####/2029.zip
- <Package Folder>/files/####/2030.dat.tmp
- <Package Folder>/files/####/2030.zip
- <Package Folder>/files/####/2031.dat.tmp
- <Package Folder>/files/####/2031.zip
- <Package Folder>/files/####/2040.dat
- <Package Folder>/files/####/2040.dat.tmp
- <Package Folder>/files/####/2040.zip
- <Package Folder>/files/####/2044.dat
- <Package Folder>/files/####/2044.dat.tmp
- <Package Folder>/files/####/2044.zip
- <Package Folder>/files/####/Agcr
- <Package Folder>/files/####/chattr
- <Package Folder>/files/####/cod.jar
- <Package Folder>/files/####/configopb
- <Package Folder>/files/####/cp.apk
- <Package Folder>/files/####/exebin
- <Package Folder>/files/####/install
- <Package Folder>/files/####/install-recovery.sh
- <Package Folder>/files/####/km.apk
- <Package Folder>/files/####/libframa.so
- <Package Folder>/files/####/r.sh
- <Package Folder>/files/####/rgsh
- <Package Folder>/files/####/ri.apk
- <Package Folder>/files/####/root_001
- <Package Folder>/files/####/root_004
- <Package Folder>/files/####/root_005
- <Package Folder>/files/####/root_006
- <Package Folder>/files/####/root_007
- <Package Folder>/files/####/root_008
- <Package Folder>/files/####/rt.apk
- <Package Folder>/files/####/run
- <Package Folder>/files/####/sr
- <Package Folder>/files/####/su
- <Package Folder>/files/####/upd
- <Package Folder>/files/.imprint
- <Package Folder>/files/Agcr.tmp
- <Package Folder>/files/__rbprotected__
- <Package Folder>/files/cid.ini
- <Package Folder>/files/libinqz.so
- <Package Folder>/files/libusgb.so
- <Package Folder>/files/maoqnga.md
- <Package Folder>/files/mda.ico
- <Package Folder>/files/mySdk.jar
- <Package Folder>/files/sddijqq.dat
- <Package Folder>/files/sddijqq.dat (deleted)
- <Package Folder>/files/sddijqq.jar
- <Package Folder>/files/sddijqq.md
- <Package Folder>/files/sss.pdb
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/files/viva.db
- <Package Folder>/files/wddex.jar
- <Package Folder>/files/xactLib
- <Package Folder>/shared_prefs/<Package>.xml
- <Package Folder>/shared_prefs/Oveeada.xml
- <Package Folder>/shared_prefs/OverseaSDK.xml
- <Package Folder>/shared_prefs/OverseaSDK.xml.bak
- <Package Folder>/shared_prefs/ShaMd5.xml
- <Package Folder>/shared_prefs/brower_ad.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/shared_prefs/ip_info.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/web_sdk.xml
- <Package Folder>/shared_prefs/xapcinfo.xml
- <SD-Card>/app/####/appChannel
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.dailybrowser.yiipol.dd/app_bin/daemon -p com.dailybrowser.yiipol.dd -s com.coolerfall.daemon.DaemonService -t 120
- /data/data/com.dailybrowser.yiipol.dd/files/.data/.root
- /data/data/com.dailybrowser.yiipol.dd/files/.data/exebin
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_001 –auto
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_004 PFMMehxvMFk2VSFN8Aw8XGXh91UNiESr/iPn2mHZOg== 3u5ydeZkuIN7B1MIi0sjkwufUjbm /system/bin/sh
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_005 /system/bin/sh
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_006 /system/bin/sh
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_007 HygZRm2IHTKWpp7Hll/sS0uY66xdcw== /system/bin/sh
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_007 al1s7jBFNtn9faBmC0Jb9A9NslGZSg== /system/bin/sh
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_007 f0h5zguZ9aJXbCZExMaN2kDhh6V0Uw== /system/bin/sh
- /data/data/com.dailybrowser.yiipol.dd/files/.data/root_008
- /system/bin/sh
- <dexopt>
- cat /proc/cpuinfo
- cat /proc/version
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/.root
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/root_001
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/root_004
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/root_005
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/root_006
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/root_007
- chmod 06755 /data/data/com.dailybrowser.yiipol.dd/files/.data/root_008
- chmod 06755 <Package Folder>/files/.data/.root
- chmod 06755 <Package Folder>/files/.data/root_001
- chmod 06755 <Package Folder>/files/.data/root_004
- chmod 06755 <Package Folder>/files/.data/root_005
- chmod 06755 <Package Folder>/files/.data/root_006
- chmod 06755 <Package Folder>/files/.data/root_007
- chmod 06755 <Package Folder>/files/.data/root_008
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/cod.jar
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/cp.apk
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/exebin
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/install-recovery.sh
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/km.apk
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/ri.apk
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/rt.apk
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/su
- chmod 755 /data/data/com.dailybrowser.yiipol.dd/files/.data/upd
- chmod 755 <Package Folder>/files/.data/cod.jar
- chmod 755 <Package Folder>/files/.data/cp.apk
- chmod 755 <Package Folder>/files/.data/exebin
- chmod 755 <Package Folder>/files/.data/install-recovery.sh
- chmod 755 <Package Folder>/files/.data/km.apk
- chmod 755 <Package Folder>/files/.data/ri.apk
- chmod 755 <Package Folder>/files/.data/rt.apk
- chmod 755 <Package Folder>/files/.data/su
- chmod 755 <Package Folder>/files/.data/upd
- chmod 755 <Package Folder>/files/Data/Sol/id-2025/.psns
- chmod 755 <Package Folder>/files/Data/Sol/id-2026/.psns
- chmod 755 <Package Folder>/files/Data/Sol/id-2026/psn
- chmod 755 <Package Folder>/files/Data/Sol/id-2027/.psns
- chmod 755 <Package Folder>/files/Data/Sol/id-2027/psn
- chmod 755 <Package Folder>/files/Data/Sol/id-2030/rgsh
- chmod 777 /data/data/com.dailybrowser.yiipol.dd/files/.Ag
- chmod 777 /data/data/com.dailybrowser.yiipol.dd/files/.Ag/Agcr
- chmod 777 /data/data/com.dailybrowser.yiipol.dd/files/.data
- chmod 777 /data/data/com.dailybrowser.yiipol.dd/files/.data/r.sh
- chmod 777 <Package Folder>/files/.Ag
- chmod 777 <Package Folder>/files/.Ag/Agcr
- chmod 777 <Package Folder>/files/.data
- chmod 777 <Package Folder>/files/.data/r.sh
- conbb od2gf04pd9
- configopb ebf05813c1
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
- id
- ls /data/data
- rm -r /data/data/com.dailybrowser.yiipol.dd/app_xxx
- rm -r /data/data/com.dailybrowser.yiipol.dd/files/Data/Sol
- rm -r /data/data/com.dailybrowser.yiipol.dd/files/Data/pp2
- rm -r <Package Folder>/app_xxx
- rm -r <Package Folder>/files/Data/Sol
- rm -r <Package Folder>/files/Data/pp2
- rm <Package Folder>/files/Data/Sol/id-2026/.psns
- rm <Package Folder>/files/Data/Sol/id-2029/rgsh <Package Folder>/files/Data/Sol/id-2029/.root
- rm <Package Folder>/files/Data/Sol/id-2040/rgsh <Package Folder>/files/Data/Sol/id-2040/.root
- rm <Package Folder>/files/Data/Sol/id-2044/rgsh <Package Folder>/files/Data/Sol/id-2044/.root
- sh
- sh -c <Package Folder>/files/Data/Sol/id-2029/.root Edward /system/bin/sh <Package Folder>/files/Data/Sol/id-2029/rgsh 1mWelshlY2JlgjDLLrZkZTVabmIuwnIw
- sh -c <Package Folder>/files/Data/Sol/id-2030/.root Edward /system/bin/sh <Package Folder>/files/Data/Sol/id-2030/rgsh omWvOlFlYwz6SjDJSSRkNDOxvmN10wQw
- sh -c <Package Folder>/files/Data/Sol/id-2040/.root Edward /system/bin/sh <Package Folder>/files/Data/Sol/id-2040/rgsh PWUuNL5lY8G7XTDzl3lkY/wt5GIlGk80
- sh -c <Package Folder>/files/Data/Sol/id-2044/.root Edward /system/bin/sh <Package Folder>/files/Data/Sol/id-2044/rgsh 7mWbhP1lY0CW9DAMxGVkZiDQN2KG1eBh
- sh -c chmod 755 <Package Folder>/files/Data/Sol/id-2026/psn;stop nac_server
- sh -c chmod 755 <Package Folder>/files/Data/Sol/id-2027/psn;stop nac_server
- sh <Package Folder>/files/.data/.root
- sh <Package Folder>/files/.data/exebin
- sh <Package Folder>/files/.data/root_001 auto
- sh <Package Folder>/files/.data/root_004 PFMMehxvMFk2VSFN8Aw8XGXh91UNiESr/iPn2mHZOg== 3u5ydeZkuIN7B1MIi0sjkwufUjbm /system/bin/sh
- sh <Package Folder>/files/.data/root_005 /system/bin/sh
- sh <Package Folder>/files/.data/root_006 /system/bin/sh
- sh <Package Folder>/files/.data/root_007 HygZRm2IHTKWpp7Hll/sS0uY66xdcw== /system/bin/sh
- sh <Package Folder>/files/.data/root_007 al1s7jBFNtn9faBmC0Jb9A9NslGZSg== /system/bin/sh
- sh <Package Folder>/files/.data/root_007 f0h5zguZ9aJXbCZExMaN2kDhh6V0Uw== /system/bin/sh
- sh <Package Folder>/files/.data/root_008
- stop nac_server
Использует специальную библиотеку для скрытия исполняемого байткода.
