Техническая информация
Вредоносные функции:
Отправляет СМС-сообщения:
- 106575206321505460: dyl#null,<IMEI>,6000195-1-1001-6_kh29s0362_-0
- 10691009: @8DYL#null,<IMEI>,6000195-1-1001-6_kh29s0362_-0
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.226.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.226.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- and####.####.com
- and####.####.com:8077
- huangda####.com
- i####.####.com
Запросы HTTP GET:
- huangda####.com/active!activeLog.action?provider=####&clickId=####&manu=...
- i####.####.com/ando-res/m/A6EGb*Py4u1FtWQ3Rk0AdTbn3l2VkFbr8rEbwi8yQXTViC...
Запросы HTTP POST:
- 6####.####.140/ando/v1/x/ap?app_id=####&r=####
- and####.####.com/record-plat/record/upload.do
- and####.####.com:8077/record-plat/seq/query.do
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_tpservice/qsha_80001_5096.dex
- <Package Folder>/app_workbench32850/apk.zip
- <Package Folder>/app_workbench82890/apk.zip
- <Package Folder>/app_workbench93942/apk.zip
- <Package Folder>/code-2705067/####/y2HXFLOtlkPUQJpP.jar
- <Package Folder>/code-2705067/IS0tDQjxGgSxlaT4
- <Package Folder>/databases/Data_sync.db-journal
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_OddrVJenTifHyT4VR_yL3A==
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_OddrVJenTifHyT4VR_yL3A==-journal
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_SsohAFzmw94=-journal
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N__EG7rH_iyqmgxoFScdeJBA==
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N__EG7rH_iyqmgxoFScdeJBA==-journal
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_pZLZnlGT8mqfwVDf
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_pZLZnlGT8mqfwVDf-journal
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_ywMw6zDAIOKM8RK1oW3k-Lyrl9A=
- <Package Folder>/databases/SN8zQ6wWoiYNLDPj1SVgpfsafDW5XK2N_ywMw6zDAIOKM8RK1oW3k-Lyrl9A=-journal
- <Package Folder>/databases/webview.db
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/-uEhXTPigIyglJCgIw8ANXh1_VS0lnCy.new
- <Package Folder>/files/####/5Eu2NBBt1MWF9t0ZVoJkZZIWZ12ah6520iWirEfaubY=.new
- <Package Folder>/files/####/8r6nlRVsTqMrhEontaJa6w==.new
- <Package Folder>/files/####/919yL4o1mgTs0Kuksn6Fdg==
- <Package Folder>/files/####/9pxB4XHBX02bG6rtlUT9n6_KevvkggkbIzhQ1A==.new
- <Package Folder>/files/####/AHNIN4VLdS-v_ga_.zip
- <Package Folder>/files/####/BJMWGIAsSuWYL-aa3d6oLRQIQxk=.new
- <Package Folder>/files/####/CNTo3iLyuJIb-GIYt3GCUhDeFJShzJQdrh_vJF99BgA=.new
- <Package Folder>/files/####/H2nlBfq83G0h5wEtsIcY-pL8mmU-cKcm.new
- <Package Folder>/files/####/Hazi2FH5sldecKoaQeQMQG3yc9YW-liZ.new
- <Package Folder>/files/####/Lq9Ly-Xa1vC1oTYTmtm9dm0T9lalKBkKM7zAMDne0JQ=.new
- <Package Folder>/files/####/QBlXVsZ5E8M5jKOz5ooLYQ==
- <Package Folder>/files/####/QBlXVsZ5E8M5jKOz5ooLYQ==.new
- <Package Folder>/files/####/RUA33pEgrP0pxFa-
- <Package Folder>/files/####/TcGSpKQ6Lr6fG9A9N4Hw2FO9QefF5vAndrEycg==.new
- <Package Folder>/files/####/UbX1akMKNCbpZXWY.new
- <Package Folder>/files/####/ZtXJKkKdT-b1e-kD53JGGg==.new
- <Package Folder>/files/####/aAwJkoN-3MjL8hbRRFLPnELV1H14kPPyAsxW-gEhODQ=.new
- <Package Folder>/files/####/bvdAXIBAqViXEaYFi7-ldPfkPK4=
- <Package Folder>/files/####/djqcqL3NIsI-LdtUUuOc2ZceYkWBXrbb.new
- <Package Folder>/files/####/eGKQUGkMgsrJTeY9DvXTRWHg0lk=
- <Package Folder>/files/####/igBV8o7Iqa7UQrjXqEd4CfkCxKc=.temp
- <Package Folder>/files/####/jFR-VuNzwN3s-vP9cji3WcZOIJA=
- <Package Folder>/files/####/jFR-VuNzwN3s-vP9cji3WcZOIJA=.new
- <Package Folder>/files/####/jMxGQMJjL3xchGOqbtOrUIap5G0=.new
- <Package Folder>/files/####/jcpG0cWnWKnNE4IJKHvBl9wyM0xOQKjN
- <Package Folder>/files/####/jcpG0cWnWKnNE4IJKHvBl9wyM0xOQKjN.new
- <Package Folder>/files/####/jcpG0cWnWKnNE4IJKHvBl9wyM0xOQKjN.old (deleted)
- <Package Folder>/files/####/kAjlZG4iyuXaK_r2qglCRUTbygzhXBmi.new
- <Package Folder>/files/####/lJcc0dTqIQXE8LpjTKlgAE7FWEI=.temp
- <Package Folder>/files/####/mNiZHCv5F-fIgM3v_Ibh0kJpXLK5STP9.new
- <Package Folder>/files/####/qepvq_f.zip
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/s8V18zxkYybHwJpH327ywlp5owzJdoiotq4Qaw==.new
- <Package Folder>/files/####/w-M4iUuJ_v9WA3IxglWnKTKgAMCdXNzB.new
- <Package Folder>/files/####/zLzVdg9swXg0hE4chCih7A==
- <Package Folder>/files/####/zpd3REkAqXNwz-4fF6e24C4_Mfo=.new
- <Package Folder>/files/libabc
- <Package Folder>/files/rdata_comewqrasdj
- <Package Folder>/files/rdata_comewqrasdj.new
- <Package Folder>/shared_prefs/plugin_record_app_info.xml
- <Package Folder>/shared_prefs/pref_recomm.xml
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/pretw.xml.bak
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/d57ac00d-d1d4-4a0f-875a-15ace1232793.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.tpservice/####/qsha_80001_5096.jar
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3003_2272.zip
- <SD-Card>/Android/####/com.skymobi.pay.plugin.main.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.recordupload.data
- <SD-Card>/Android/####/com.skymobi.pay.plugin.smspay.data
Другие:
Запускает следующие shell-скрипты:
- /data/data/org.cocos2dx.III_310_SkyAndLand/code-2705067/IS0tDQjxGgSxlaT4 -p org.cocos2dx.III_310_SkyAndLand -c com.ewqr.asdj.wgqva.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- cat /sys/block/mmcblk0/device/cid
- sh <Package Folder>/code-2705067/IS0tDQjxGgSxlaT4 -p <Package> -c com.ewqr.asdj.wgqva.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
