Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.DownLoader.455.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.DownLoader.455.origin
Сетевая активность:
Подключается к:
- 1####.####.107
- 1####.####.107:8032
- 2####.####.197
- a####.####.cn
- a####.####.com
- a####.####.net
- al####.####.com
- beid####.com
- cl####.####.com
- jion####.net
- m####.####.com
- moneys####.cn
- pi####.####.com
- r####.####.net
- s####.####.cn
- s####.####.cn:5566
- s####.####.com
- s####.####.net
- soson####.####.com
- t####.####.net
Запросы HTTP GET:
- 1####.####.107/m/umeng:5508ef97fd98c5404e000f13/34/AjMS-v67LRlMvkmaZtFeX...
- 1####.####.107:8032/m/umeng:5508ef97fd98c5404e000f13/34/AjMS-v67LRlMvkma...
- 2####.####.197/action/connect/active?app_id=####&udid=####&imsi=####&net...
- a####.####.com/rest/api3.do?t=####&deviceId=####&imei=####&appKey=####&v...
- a####.####.net/offer/dist/aos/pkg/2.6.1/offers_2.6.1.zip
- a####.####.net/v3/zip_upd?s=####
- al####.####.com/adv/70/1836/20170620182936_941.jpg
- beid####.com/fct/fileDownLoadAction?filePath=####
- moneys####.cn/MoneyShake/GetUpdateInfo?udid=####&platform=####&mac=####&...
- r####.####.net/spot/aos/v2/reqv3?s=####
- s####.####.com/getAD/?appid=####&secretKey=####&appChannel=####&type=###...
- s####.####.net/stat/aos/v3/pkc?s=####
- soson####.####.com/dynamic_sdk_4.5.2.jar
- t####.####.net/v1/event?appid=####&cid=####&tsp=####&ac=####&pt=####&lb=...
Запросы HTTP POST:
- a####.####.cn/action/user_info
- a####.####.com/a/aow/update?msg=####
- a####.####.com/app_logs
- a####.####.com/dev/api/connect.php?device_id=####&imsi=####&device_name=...
- cl####.####.com/terminal/ad/getAdList.do?t=####
- jion####.net/www/online74D11EE5836777D.php/BD0F024D/BD0F024D29F0
- m####.####.com/v2/register
- pi####.####.com/mstat/report/?index=####
- s####.####.cn/log/install
- s####.####.cn:5566/init/duid
- t####.####.net/v1/android/packages?rt=####&sign=####
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_aaa_data/classes.zip
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/http+alicdn+bayimob+com+adv+70+1829+20170607113549_871+jpg
- <Package Folder>/cache/####/http+alicdn+bayimob+com+adv+70+1836+20170620182931_720+jpg
- <Package Folder>/cache/####/http+alicdn+bayimob+com+adv+70+1836+20170620182936_941+jpg
- <Package Folder>/cache/####/index
- <Package Folder>/cache/-1483817110.dex (deleted)
- <Package Folder>/cache/-1483817110.jar
- <Package Folder>/databases/40a56d2008fa374fcef11eab4af33ebb
- <Package Folder>/databases/40a56d2008fa374fcef11eab4af33ebb-journal
- <Package Folder>/databases/56ba52b618dd1fb74e3d2d0d2fa09832
- <Package Folder>/databases/56ba52b618dd1fb74e3d2d0d2fa09832-journal
- <Package Folder>/databases/8fbe54f1c1b9557e4565de8f1429ff61
- <Package Folder>/databases/8fbe54f1c1b9557e4565de8f1429ff61-journal
- <Package Folder>/databases/97d394c505bd9dcc251177c9978f7cd0
- <Package Folder>/databases/97d394c505bd9dcc251177c9978f7cd0-journal
- <Package Folder>/databases/E_ID<IMEI>.db
- <Package Folder>/databases/E_ID<IMEI>.db-journal
- <Package Folder>/databases/MsgLogStore.db-journal
- <Package Folder>/databases/OxgHkj2lz09F
- <Package Folder>/databases/OxgHkj2lz09F-journal
- <Package Folder>/databases/P15pKIjsm64m
- <Package Folder>/databases/P15pKIjsm64m-journal
- <Package Folder>/databases/T1oX0rhhuXWt
- <Package Folder>/databases/T1oX0rhhuXWt-journal
- <Package Folder>/databases/UmengLocalNotificationStore.db-journal
- <Package Folder>/databases/XKwVoK0huy3R
- <Package Folder>/databases/XKwVoK0huy3R-journal
- <Package Folder>/databases/Xil2xk2Ix1lF
- <Package Folder>/databases/Xil2xk2Ix1lF-journal
- <Package Folder>/databases/aaa_aa-db-journal
- <Package Folder>/databases/jqIqJYOT3JpT
- <Package Folder>/databases/jqIqJYOT3JpT-journal
- <Package Folder>/databases/jwall_download.db
- <Package Folder>/databases/jwall_download.db-journal
- <Package Folder>/databases/pri_wxop_tencent_analysis.db-journal
- <Package Folder>/databases/wIU6pTyUBYWX
- <Package Folder>/databases/wIU6pTyUBYWX-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/databases/wsUL1uCdKvjD
- <Package Folder>/databases/wsUL1uCdKvjD-journal
- <Package Folder>/databases/wxop_tencent_analysis.db-journal
- <Package Folder>/files/####/arrow-left.png
- <Package Folder>/files/####/arrow-right.png
- <Package Folder>/files/####/blank.gif
- <Package Folder>/files/####/close-icon.png
- <Package Folder>/files/####/default.png
- <Package Folder>/files/####/detail-wx.html
- <Package Folder>/files/####/detail-wx.js
- <Package Folder>/files/####/detail.html
- <Package Folder>/files/####/detail.js
- <Package Folder>/files/####/feedback.html
- <Package Folder>/files/####/feedback.js
- <Package Folder>/files/####/form.css
- <Package Folder>/files/####/global.js
- <Package Folder>/files/####/lists.css
- <Package Folder>/files/####/lists.html
- <Package Folder>/files/####/lists.js
- <Package Folder>/files/####/md5.js
- <Package Folder>/files/####/pic_m.png
- <Package Folder>/files/####/pic_tips_01.png
- <Package Folder>/files/####/pic_tips_02.png
- <Package Folder>/files/####/result.png
- <Package Folder>/files/####/rule.html
- <Package Folder>/files/####/sdetail.html
- <Package Folder>/files/####/share.css
- <Package Folder>/files/####/share.html
- <Package Folder>/files/####/share.js
- <Package Folder>/files/####/sprite-face.png
- <Package Folder>/files/####/sprite-icons.png
- <Package Folder>/files/####/sprite-icons2.png
- <Package Folder>/files/####/wx-step1.jpg
- <Package Folder>/files/####/wx-step2.jpg
- <Package Folder>/files/####/wx-step3.jpg
- <Package Folder>/files/####/wx-step4.jpg
- <Package Folder>/files/####/wx-step5.jpg
- <Package Folder>/files/.imprint
- <Package Folder>/files/014962152681821.jar
- <Package Folder>/files/8c20baef730d05ef3b1dd4a5cd7dbdea.zip
- <Package Folder>/files/CacheTime.dat
- <Package Folder>/files/DaemonServer
- <Package Folder>/files/agoo.pid
- <Package Folder>/files/dynamic_sdk_4.5.2.jar.temp
- <Package Folder>/files/errorLog_<Package>.txt
- <Package Folder>/files/observedFile
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/.mta-wxop.xml
- <Package Folder>/shared_prefs/.mta-wxop.xml.bak
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/AGOO_CONNECT.xml
- <Package Folder>/shared_prefs/AGOO_HOST.xml
- <Package Folder>/shared_prefs/Alvin2.xml
- <Package Folder>/shared_prefs/AppSettings.xml
- <Package Folder>/shared_prefs/AppStore.xml
- <Package Folder>/shared_prefs/AppStore.xml.bak
- <Package Folder>/shared_prefs/CE94557724F842149D690D0E8CBB1CBD.xml
- <Package Folder>/shared_prefs/ContextData.xml
- <Package Folder>/shared_prefs/InitInfo.xml
- <Package Folder>/shared_prefs/JYPreData.xml
- <Package Folder>/shared_prefs/JYPreData.xml.bak
- <Package Folder>/shared_prefs/OFFERSCONFIG1.xml
- <Package Folder>/shared_prefs/PhoneUtil.xml
- <Package Folder>/shared_prefs/SMSSDK_VCODE_1.xml
- <Package Folder>/shared_prefs/ShowAdFlag.xml
- <Package Folder>/shared_prefs/aaa_bayiSharedPrferences.xml
- <Package Folder>/shared_prefs/aaa_viewpager_page.xml
- <Package Folder>/shared_prefs/check.xml
- <Package Folder>/shared_prefs/i.xml
- <Package Folder>/shared_prefs/i_fionf_pre<IMEI>.xml
- <Package Folder>/shared_prefs/i_fionf_pre<IMEI>.xml.bak
- <Package Folder>/shared_prefs/i_fionf_pre<IMEI>.xml.bak (deleted)
- <Package Folder>/shared_prefs/im_cache_prefs.xml
- <Package Folder>/shared_prefs/preference_daow.xml
- <Package Folder>/shared_prefs/preferences.xml
- <Package Folder>/shared_prefs/spotData.xml
- <Package Folder>/shared_prefs/spot_app_data.xml
- <Package Folder>/shared_prefs/spot_app_data.xml.bak
- <Package Folder>/shared_prefs/test.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <Package Folder>/shared_prefs/umeng_message_state.xml
- <Package Folder>/shared_prefs/user.xml
- <Package Folder>/shared_prefs/user.xml.bak
- <Package Folder>/shared_prefs/w_base_info.xml
- <Package Folder>/shared_prefs/w_base_info.xml.bak
- <Package Folder>/shared_prefs/w_report_apps.xml
- <SD-Card>/.DataStorage/ContextData.xml
- <SD-Card>/.UTSystemConfig/####/Alvin2.xml
- <SD-Card>/.b/.dev
- <SD-Card>/Android/####/373240561418738c721572c1da14b85e
- <SD-Card>/Android/####/373240561418738c721572c1da14b85e.ymtf
- <SD-Card>/Android/####/AppPackage.dat
- <SD-Card>/Android/####/CacheTime.dat
- <SD-Card>/Android/####/UnPackage.dat
- <SD-Card>/Android/####/android
- <SD-Card>/Android/####/errorLog_<Package>.txt
- <SD-Card>/Android/####/i42d45df023jnkdd93la483f9xGFKXI
- <SD-Card>/Android/####/s92TjjdfoP2n3o9dfji2l9s1olkjf0p
- <SD-Card>/Android/djaof.dll
- <SD-Card>/Download/####/d4928f0686a110a94c1e3a70c9c21c7b
- <SD-Card>/ShareSDK/.ba
- <SD-Card>/ShareSDK/.dk
- <SD-Card>/Tencent/####/.mid.txt
- <SD-Card>/llc/####/20170531
Другие:
Запускает следующие shell-скрипты:
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
- /system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq
- <Package Folder>/files/DaemonServer -s <Package Folder>/lib/ -n runServer -p startservice -n <Package>/com.umeng.message.UmengService --es cockroach cockroach-PPreotect --es pack <Package> --user 0 -f <Package Folder> -t 600 -c agoo.pid -P <Package Folder> -K 1009527 -U tb_android_daemon_1.1.0 -L http://agoodm.m.taobao.com/agoo/report -D %7B%22package%22%3A%22<Package>%22%2C%22appKey%22%3A%22umeng%3A5508ef97fd98c5404e000f13%22%2C%22utdid%22%3A%22WS5u5Z5V5eEDAGdzx1FjnOPF%22%2C%22sdkVersion%22%3A%2220160215%22%7D -I agoodm.m.taobao.com -O 80 -T -Z
- <dexopt>
- chmod 500 <Package Folder>/files/DaemonServer
- sh
