Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.226.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.226.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- i####.####.com
- l####.####.cc
- p####.####.com
Запросы HTTP GET:
- i####.####.com/ando-res/ads/30/14/f15541de-b7bd-4ff9-97fb-9e6cc9e4e044/0...
Запросы HTTP POST:
- 6####.####.140/ando/v1/x/qa?app_id=####&r=####
- l####.####.cc/index.php/MC/LP
- p####.####.com/sdkMis/sdk-update
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_tongyu/####/tongyu-pay-lib.apk
- <Package Folder>/app_workbench20940/apk.zip
- <Package Folder>/app_workbench26852/apk.zip
- <Package Folder>/app_workbench32378/apk.zip
- <Package Folder>/app_workbench37744/apk.zip
- <Package Folder>/app_workbench43270/apk.zip
- <Package Folder>/app_workbench54322/apk.zip
- <Package Folder>/app_workbench76652/apk.zip
- <Package Folder>/code-283353/####/C8hc7ZBPCkQszCq3.jar
- <Package Folder>/code-283353/eoBjLWX3wf5AYQbu
- <Package Folder>/databases/Data_sync.db-journal
- <Package Folder>/databases/MaiStore.db-journal
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_4tPJVTkT6xfiOOghmymrew==
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_4tPJVTkT6xfiOOghmymrew==-journal
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_CK1Spaf1gSgNC19ohdI2iCrW0l4=
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_CK1Spaf1gSgNC19ohdI2iCrW0l4=-journal
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_JN9Ux7doK9FC6VWa
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_JN9Ux7doK9FC6VWa-journal
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_auIEr0Eey3LHRDUTIWIFVA==
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_auIEr0Eey3LHRDUTIWIFVA==-journal
- <Package Folder>/databases/vZveBbrdKwZeIGiYxcC10iIShNkHsAgeUv6eP_94A8g=_xn0jlBqmvm4=-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/-V0cGXcRKyYHYo2D9OM_8cTAqHc=.new
- <Package Folder>/files/####/0dzPXwcYC07jLlKD9IZIH0bX7vN39Kku
- <Package Folder>/files/####/0dzPXwcYC07jLlKD9IZIH0bX7vN39Kku.new
- <Package Folder>/files/####/0dzPXwcYC07jLlKD9IZIH0bX7vN39Kku.old (deleted)
- <Package Folder>/files/####/2ElMp3mozrfBYiF9.new
- <Package Folder>/files/####/2kyd0kmxxA9mBvqCr6qSC-kImL4=
- <Package Folder>/files/####/3a594145-6254-4240-bb87-92676cd6185e.pic.temp
- <Package Folder>/files/####/958b9437-d6fc-40a6-b344-178e86b3bae8.pic
- <Package Folder>/files/####/AMNSrHzrYvqC9BW1wa1glk2kIaA=
- <Package Folder>/files/####/B4ol7W8LVYRv3TYk-Qp-YOw9AcwfSNHW66o05zKihOg=.new
- <Package Folder>/files/####/D1w7hkTkDR7uGFVd3s8tlMPgqhag0zUWY0Xxrw==.new
- <Package Folder>/files/####/DszDz0Mc73uxr28bPIvnKHzDz6FiIREO.new
- <Package Folder>/files/####/Fb6Sq2fd_EVp8WzfdjA0tg==.new
- <Package Folder>/files/####/ISbBCoMzmTXPm_npCFA-nfjTS1i7z52l.new
- <Package Folder>/files/####/PLrOeK-QbTNtzTMTcec9RwbTGXc3RKXh.new
- <Package Folder>/files/####/RuujLvUOaKKuci49OQGIo2WatBM=.new
- <Package Folder>/files/####/X_Hjymz8O8088HOQcdMSqnNC9KVIHK8B.new
- <Package Folder>/files/####/Xn6VHx65INlbmABBJWTnZdJOBaI-Bycr1XxcJzkqc4o=.new
- <Package Folder>/files/####/_RqeSR-BNaEm70Mf
- <Package Folder>/files/####/a4572510-e893-446e-8fb2-a4520f701795.pic.temp
- <Package Folder>/files/####/a5_Cranmc1CNbDWgl8xsag==
- <Package Folder>/files/####/a5_Cranmc1CNbDWgl8xsag==.new
- <Package Folder>/files/####/akJVGbIynWt9ZQn-aj7y_Nza1mU=.new
- <Package Folder>/files/####/b55f9282-4905-4efa-868c-8ff047f7c903.pic.temp
- <Package Folder>/files/####/bEsxsoLUu5BTqp9XdP_LQ2laNAk=.new
- <Package Folder>/files/####/bMxpcp1XG6RXJO_faG6lFgLTn9JCO7fa.new
- <Package Folder>/files/####/cDe_wDQNG956IYLbPfskKTN6Tk5PoWXB.new
- <Package Folder>/files/####/cQ2YXU2sfGhT6vGw-vr9wQ==
- <Package Folder>/files/####/cQ2YXU2sfGhT6vGw-vr9wQ==.new
- <Package Folder>/files/####/d5be8860-efbc-422f-b9d7-bfe640d7937e.pic.temp
- <Package Folder>/files/####/dd065ce3-d155-4505-90f7-5bfd63302d44.pic.temp
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/f4fc7299-e822-4485-8a32-2d28a6bff198.pic.temp
- <Package Folder>/files/####/fa504ef2-cdca-4cf0-a1d0-71113c1197ad.pic
- <Package Folder>/files/####/oxeorFO6TVO_dx1_a7kueA==
- <Package Folder>/files/####/q_3P1GujPdvD-hHzAh_bnpJBJ90UtArJxwq2EJ40qAo=.new
- <Package Folder>/files/####/qreiaa_f.zip
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/wMkkEMoDuiosdUcBT5SBCg==
- <Package Folder>/files/####/xFBrfLlmnBzQGLAHuPF571TpLCMyPG2a.new
- <Package Folder>/files/####/xbdphwrjvkPqSJgaoCBeRiwOUc2K3VYg-1gAMQ==.new
- <Package Folder>/files/####/xl4AnnUq22fgdn1HaskrH6PSCWzqA32pC865-kvdzdo=.new
- <Package Folder>/files/####/yh3qdLD9noX_5yjyP9FOUGHZZGAyi_O4LJIBkQ==.new
- <Package Folder>/files/####/yroQ-D8FbaXoJjxu.zip
- <Package Folder>/files/com.dyl.pay.ui.apk
- <Package Folder>/files/libabc
- <Package Folder>/files/rdata_comjfkdptonexlj.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/share_data.xml.bak (deleted)
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.armsd/####/44433f3b-f88f-471c-bc1d-2fed327a30c3.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/606e199b-a023-41dd-9151-43a8e73cca1e.res
- <SD-Card>/.armsd/####/61b0370e-baac-4283-bbe4-98857f739230.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/c1f4d728-91a1-44c5-ab6e-b5c19a960d72.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.tpservice/####/qsha_80001_5096.jar
- <SD-Card>/.twservice/qshp_3003_2274.zip
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/com.skymobi.pay.plugin.main.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.recordupload.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.smspay.data
Другие:
Запускает следующие shell-скрипты:
- /data/data/mu.nprikfbcnrukyxr.zccmlzmiw.a9aa4.y281c7e83e19a/code-283353/eoBjLWX3wf5AYQbu -p mu.nprikfbcnrukyxr.zccmlzmiw.a9aa4.y281c7e83e19a -c com.jfkd.pt.one.xlj.wgqxaq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- cat /sys/class/net/wlan0/address
- sh <Package Folder>/code-283353/eoBjLWX3wf5AYQbu -p <Package> -c com.jfkd.pt.one.xlj.wgqxaq.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
