Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 106575206321505460: dyl#null,<IMEI>,6000195-1-1001-6_kh29s0362_-0
- 10691009: @8DYL#null,<IMEI>,6000195-1-1001-6_kh29s0362_-0
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.226.origin
- Android.Triada.248.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.226.origin
- Android.Triada.248.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- a####.####.com
- huangda####.com
- i####.####.com
- l####.####.com
- p####.####.cc
- p####.####.com
- w####.####.com
Запросы HTTP GET:
- 6####.####.140/ando/i/mon?k=####&d=####
- huangda####.com/active!activeLog.action?provider=####&clickId=####&manu=...
- i####.####.com/ando-res/ads/4/5/d73ab4a4-4c75-43a7-a3c9-5bdabd9437c8/d26...
- p####.####.com/sdkMis/getRdoUrl
- w####.####.com/rdo/order?mcpid=####&orderNo=####&feeCode=####&reqTime=##...
Запросы HTTP POST:
- a####.####.com/app_logs
- l####.####.com/sdk.php
- p####.####.cc/index.php/MC/HB
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_tongyu/####/tongyu-pay-lib.apk
- <Package Folder>/app_workbench10122/apk.zip
- <Package Folder>/app_workbench15648/apk.zip
- <Package Folder>/app_workbench87792/apk.zip
- <Package Folder>/app_workbench93624/apk.zip
- <Package Folder>/app_workbench99150/apk.zip
- <Package Folder>/cache/by.apk
- <Package Folder>/code-3625842/lfgfXbhTemfoGQh6
- <Package Folder>/code-6041682/####/q7rU1JeOecDNgAsQ.jar
- <Package Folder>/code-6041682/lfgfXbhTemfoGQh6
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_FOi_BIBniU8r9jPvdhtedw==
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_FOi_BIBniU8r9jPvdhtedw==-journal
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_aJKdGDe-tDLfC4nsdUigyibkip4=
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_aJKdGDe-tDLfC4nsdUigyibkip4=-journal
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_nXjJ_2gYaIldke3DgdYGSg==
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_nXjJ_2gYaIldke3DgdYGSg==-journal
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_wdzJLcA-Y-vIzLR6
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_wdzJLcA-Y-vIzLR6-journal
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_zSy_V6vMMlc=
- <Package Folder>/databases/2YJv07UhkqJV21tfWfS7nDMWVj_FhBLp_zSy_V6vMMlc=-journal
- <Package Folder>/databases/Data_sync.db-journal
- <Package Folder>/databases/MaiStore.db-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/-3QHCjpqdNcxHycV
- <Package Folder>/files/####/0-K4QT-r_bEeDUEgJOYY-g==
- <Package Folder>/files/####/02451a0c-6c05-4159-bbcf-e10b94db577b.pic.temp
- <Package Folder>/files/####/19ada0cd-7646-4d6a-a934-3412032fc3f9.pic.temp
- <Package Folder>/files/####/2224cf9e-f4be-4047-a9d5-07d74bab1239.pic
- <Package Folder>/files/####/23d12b0c-dda8-469f-a97a-cde06af22dc9.pic.temp
- <Package Folder>/files/####/29956621-8f73-439b-83c3-226464a53e92.pic.temp
- <Package Folder>/files/####/2_jWlU3i44potNX98LwpR8JsZfuk1Lyp.new
- <Package Folder>/files/####/3YzXHV5m6SHMCwuq.new
- <Package Folder>/files/####/3d95da01-6e51-4f98-bf76-27fb6ed5364f.pic.temp
- <Package Folder>/files/####/45e1MpU5P1HUNXgn6WF_FvH08oq35MyO.new
- <Package Folder>/files/####/593783ae-ab0e-4223-ae98-f237cc20481f.pic
- <Package Folder>/files/####/5J4g8h2QsZ13-fIz.zip
- <Package Folder>/files/####/6ec3f301-46c0-4bc1-b38a-1e5e324781b2.pic.temp
- <Package Folder>/files/####/735e6c35-7647-4ee0-abde-59564303d4ea.pic.temp
- <Package Folder>/files/####/7c22cd02-9529-4d8b-b30f-53edfc12e3d1.pic.temp
- <Package Folder>/files/####/8bf70f60-1e95-4ce3-bad8-dc54512b25bf.pic.temp
- <Package Folder>/files/####/8iqGegUCRE9dWqG88eid_g4VC0gtehn9Clp9pvpIJy4=.new
- <Package Folder>/files/####/9UnFEDG-BS_iPTnPA3gNhs62NKo=.new
- <Package Folder>/files/####/9vMqcD9dAGBlr8VTMDzwxog-xkc=
- <Package Folder>/files/####/Drg0v64iaASnGG8u2W0iUg==.new
- <Package Folder>/files/####/U0mTQejQbzODTDNcKvZMTrzP3yUanch8.new
- <Package Folder>/files/####/UoPZfP7y0YVOzoPdQRQ8ZFObWXA=.new
- <Package Folder>/files/####/W8d82htz69zODNf0etmmxw==
- <Package Folder>/files/####/W8d82htz69zODNf0etmmxw==.new
- <Package Folder>/files/####/YNA3iy5VScQgVuXTDZfMObCQBwq9gGVt.new
- <Package Folder>/files/####/c373e89d-918c-4134-a9bd-be5c015c880a.pic.temp
- <Package Folder>/files/####/c8c9q3CalT4GTpB0Ma0PhlMT0bKEQQo2sVL2oVFZwco=.new
- <Package Folder>/files/####/dQnyFosVd7RlTcq3wwE3GtZhA502yr63.new
- <Package Folder>/files/####/dbZNjWMyQPz6-4SrScp1sBle_UTAn7ObJYG0PZgfP_k=.new
- <Package Folder>/files/####/exchangeIdentity.json
- <Package Folder>/files/####/fa6a9b44-b6bd-4be7-be52-ab87101f1dcb.pic.temp
- <Package Folder>/files/####/fd50b65c-eedf-42e7-976d-4cbee08014e8.pic.temp
- <Package Folder>/files/####/hUK5vzNJZ9fNCIRNvV3n8t34aOPm1e5PJf00Yw==.new
- <Package Folder>/files/####/hectf-KiHs8Hrg3xrOsmuGbXgd8=.temp
- <Package Folder>/files/####/jlVmiZmOc647iN0d3sif83rP5hxenUUOYvECqaEKmyA=.new
- <Package Folder>/files/####/nUPQiE2u0FK5LHfcNiDWgGfEzJGP64SxLT8Eww==.new
- <Package Folder>/files/####/nqCAo2b52lm3eRpPUhTJFAoe8kvrp5-n.new
- <Package Folder>/files/####/pLTo6P2ezsf6eBZIeqv3_WdPbok=
- <Package Folder>/files/####/pLTo6P2ezsf6eBZIeqv3_WdPbok=.new
- <Package Folder>/files/####/pcELdwkUivhubWV54LGGJxcKNjc=.new
- <Package Folder>/files/####/q0f4SmAaY-abIpEyMipq8VX4_jEYV6xB.new
- <Package Folder>/files/####/qepvq_f.zip
- <Package Folder>/files/####/r9n4HgIxI8S18CD_GF596jt0K2A=.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/tBnP2lX6pmYmGCKt638Kxw==.new
- <Package Folder>/files/####/waaL9-EUuQD61578y5wNxuBIp_p2JIxtJc7V1Q==.new
- <Package Folder>/files/####/xzK12bVhuhbKrdcuTp77gaV4jAuzHe0m.new
- <Package Folder>/files/####/zDs0awge8iLoyH1WpAhi9J8QQoA=.temp
- <Package Folder>/files/####/zN9QrvRCxwwDnho32LXdaA==
- <Package Folder>/files/.imprint
- <Package Folder>/files/libabc
- <Package Folder>/files/mobclick_agent_cached_<Package>1001
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/port.xml
- <Package Folder>/shared_prefs/port.xml.bak
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/share_data.xml
- <Package Folder>/shared_prefs/share_data.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.armsd/####/5425f1cc-342b-423e-81cf-4f411f5a3e97.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.old (deleted)
- <SD-Card>/.armsd/####/8b93929b-fb2e-4169-969b-1011ee48b383.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/b4b483a7-24e1-49f4-a7f3-354a7b5b1483.res
- <SD-Card>/.armsd/####/d24c6964-d387-4be2-b1a7-cadf3483ceed.res
- <SD-Card>/.armsd/####/d43d8167-fa92-4d1b-bb5e-2274b64761da.res
- <SD-Card>/.armsd/####/fe915a9d-e645-478b-8987-411d15b197c4.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.tpservice/####/qsha_80001_5096.jar
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3003_2272.zip
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/Android/####/com.skymobi.pay.plugin.main.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.recordupload.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.smspay.data
Другие:
Запускает следующие shell-скрипты:
- /data/data/by.xwvpt.tgubduqbapll.veb1a32a.zfc548153a/code-3625842/lfgfXbhTemfoGQh6 -p by.xwvpt.tgubduqbapll.veb1a32a.zfc548153a -a com.uu.action.client -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- /data/data/by.xwvpt.tgubduqbapll.veb1a32a.zfc548153a/code-6041682/lfgfXbhTemfoGQh6 -p by.xwvpt.tgubduqbapll.veb1a32a.zfc548153a -a com.uu.action.client -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- <error:2>
- cat /sys/block/mmcblk0/device/cid
- cat /sys/class/net/wlan0/address
- sh <Package Folder>/code-3625842/lfgfXbhTemfoGQh6 -p <Package> -a com.uu.action.client -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- sh <Package Folder>/code-6041682/lfgfXbhTemfoGQh6 -p <Package> -a com.uu.action.client -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
