Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.151.origin
- Android.Xiny.36.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.151.origin
- Android.Xiny.36.origin
Сетевая активность:
Подключается к:
- d####.####.com
- g####.####.pw
- g####.####.pw:6601
- i####.####.cn
- n####.####.com:10091
- w####.####.cn
Запросы HTTP GET:
- d####.####.com/dnfile/KitPackage-170628.jar
Запросы HTTP POST:
- g####.####.pw/kitmain.aspx
- g####.####.pw/main.aspx
- g####.####.pw:6601/kitmain.aspx
- i####.####.cn/iplookup/iplookup.php?format=####
- n####.####.com:10091/opaService/link
- w####.####.cn/ip.jsp
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/.shell_ass/####/libopalink.so_32
- <Package Folder>/.shell_ass/####/libopalink.so_64
- <Package Folder>/.shell_ass/libopalink.so
- <Package Folder>/.shell_ass/opa_link.jar
- <Package Folder>/.shell_ass/stupid
- <Package Folder>/.shell_ass/stupid.zip
- <Package Folder>/app_kload_lib/libhelper.so
- <Package Folder>/app_kload_odex/kload.apk
- <Package Folder>/app_kload_odex/kload.inf
- <Package Folder>/app_pt_odex/rt.so
- <Package Folder>/app_res_out/JRealRes.apk
- <Package Folder>/app_rtmp/daprc.so
- <Package Folder>/app_rtmp/data.rs
- <Package Folder>/app_rtmp/fakedbg.so
- <Package Folder>/app_rtmp/in-fun1.so
- <Package Folder>/app_rtmp/in-fun2.so
- <Package Folder>/app_rtmp/in-injectso.so
- <Package Folder>/app_rtmp/in-libvangd.so
- <Package Folder>/app_rtmp/rt.so
- <Package Folder>/app_rtmp/secrt1.so
- <Package Folder>/app_rtmp/sysattr.so
- <Package Folder>/app_rtmp/view.so
- <Package Folder>/app_rtmp/yellow.so
- <Package Folder>/app_temp/id482cbe81-6684-45c0-aa0b-5c47db9f5e28.tmp
- <Package Folder>/cache/.r.sh
- <Package Folder>/cache/data.rs
- <Package Folder>/cache/data.rs4783a145-c575-47a2-a9bb-275e10b5994a.tmp
- <Package Folder>/cache/data.rs4ec62b54-e21b-45c3-b560-260c3b43b16e.tmp
- <Package Folder>/cache/data.rs9cbf24f2-0e07-4b8e-ae17-2a361bb7bd0c.tmp
- <Package Folder>/cache/data.rsdf7019ef-dc02-4b29-bf8a-029b2e2d68a1.tmp
- <Package Folder>/cache/databak.rs
- <Package Folder>/files/####/.kpa1
- <Package Folder>/files/####/.kpa2
- <Package Folder>/files/####/a.zip
- <Package Folder>/files/####/b.zip
- <Package Folder>/files/####/busybox
- <Package Folder>/files/####/js.zip
- <Package Folder>/files/####/killall
- <Package Folder>/files/####/onem.zip
- <Package Folder>/files/####/r0
- <Package Folder>/files/####/r1
- <Package Folder>/files/####/r2
- <Package Folder>/files/####/r3
- <Package Folder>/files/####/r4
- <Package Folder>/files/####/r5
- <Package Folder>/files/####/r6
- <Package Folder>/files/####/r8
- <Package Folder>/files/####/su2
- <Package Folder>/files/####/xx.sh
- <Package Folder>/files/.sys.attr
- <Package Folder>/files/.sys.irf
- <Package Folder>/files/.sys.us
- <Package Folder>/files/<Package>_cgr
- <Package Folder>/files/daprc.so
- <Package Folder>/files/droidinfotemp.txt
- <Package Folder>/files/fakedbg.so
- <Package Folder>/files/gwkp.png
- <Package Folder>/files/in-fun1.so
- <Package Folder>/files/in-fun2.so
- <Package Folder>/files/in-injectso.so
- <Package Folder>/files/in-libvangd.so
- <Package Folder>/files/secrt1.so
- <Package Folder>/files/sysattr.so
- <Package Folder>/files/view.so
- <Package Folder>/files/yellow.so
- <Package Folder>/shared_prefs/cuf_config.xml
- <Package Folder>/shared_prefs/database.xml
- <Package Folder>/shared_prefs/fuckxjpalkq.xml
- <Package Folder>/shared_prefs/lastwk78.xml
- <Package Folder>/shared_prefs/rtparam.xml
- <SD-Card>/.hand/developkey3074c69c-a39d-4116-8272-330db0a2fe39.tmp
- <SD-Card>/.hand/lastacc09ead517-1fb9-4ff2-b427-fa15dba848fc.tmp
- <SD-Card>/.rbten/<Package>_rtpkg-1.dat_tmp
- <SD-Card>/.rbten/<Package>_rtpkg.dat_tmp
- <SD-Card>/.rbten/tcnt2918f73a12-4fe1-4058-8c01-80050483daa5.tmp
- <SD-Card>/.rbten/tcnt2943eed923-89a7-42cd-8715-f4a6915d9369.tmp
- <SD-Card>/.uct/uuid305a6a7ff-253b-4b0e-b7bc-b5bbe7adbd5d.tmp
- <SD-Card>/Android/####/.nomedia
- <SD-Card>/mmt/####/droidinfo
- <SD-Card>/mmt/####/droidinfo-journal
- <SD-Card>/mmt/####/test.dat753ecd92-90c3-4528-891c-eed33d8a410e.tmp
- <SD-Card>/mmt/####/test.data65d9203-af99-4ee0-a8d3-f4866d2fea3b.tmp
- <SD-Card>/mmt/####/test.datbf72e5a3-5370-4513-ab79-4a673fa5c82f.tmp
- <SD-Card>/sdtmp/id1
- <SD-Card>/sdtmp/id11ea61b61-d731-45bb-838c-0135a740308d.tmp (deleted)
- <SD-Card>/sdtmp/id1e10937d4-3852-44b2-9ecb-c1ec3905a24d.tmp
- <SD-Card>/sdtmp/id2
- <SD-Card>/sdtmp/id25a3b70c3-dbe4-4207-99de-d4958c48c17e.tmp (deleted)
- <SD-Card>/sdtmp/id2a31c6087-5b20-41c9-8887-9fc8a64e4839.tmp
- <SD-Card>/tmpsd11012/test.dat57f242e0-7e6f-4551-a95a-eb6bacc45f3b.tmp
- <SD-Card>/tmpsd11012/test.dat87a05ad7-a112-4f17-8f51-d901447310b0.tmp
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.jmedia.jmediasdk/files/prog_js/su2 HygZRm2IHTKWpp7Hll/sS0uY66xdcw== /system/bin/sh /data/data/com.jmedia.jmediasdk/files/prog_js/xx.sh
- /data/data/com.jmedia.jmediasdk/files/prog_js/su2 al1s7jBFNtn9faBmC0Jb9A9Ns1GZSg== /system/bin/sh /data/data/com.jmedia.jmediasdk/files/prog_js/xx.sh
- /data/data/com.jmedia.jmediasdk/files/prog_js/su2 f0h5zguZ9aJXbCZExMaN2kDhh6V0Uw== /system/bin/sh /data/data/com.jmedia.jmediasdk/files/prog_js/xx.sh
- /data/data/com.jmedia.jmediasdk/files/prog_om1/r1 –auto
- /data/data/com.jmedia.jmediasdk/files/prog_om2/r2
- /data/data/com.jmedia.jmediasdk/files/prog_om3/r3
- /data/data/com.jmedia.jmediasdk/files/prog_om4/r4 PFMMehxvMFk2VSFN8Aw8XGXh91UNiESr/iPn2mHZOg== 3u5ydeZkuIN7B1MIi0sjkwufUjbm /system/bin/sh
- /data/data/com.jmedia.jmediasdk/files/prog_om5/r5 /system/bin/sh
- /data/data/com.jmedia.jmediasdk/files/prog_om6/r6 /system/bin/sh
- /data/data/com.jmedia.jmediasdk/files/prog_om8/r8
- /system/bin/.nbwayxwzt
- /system/bin/conbb od2gf04pd9
- <dexopt>
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -a com.adroid.TASK1
- app_process /system/bin com.android.commands.am.Am startservice --user 0 -n <Package>/c.m.o.ts
- app_process /system/bin com.android.commands.am.Am startservice -a com.adroid.TASK1
- app_process /system/bin com.android.commands.am.Am startservice -n <Package>/c.m.o.ts
- cat /proc/version
- cat /sys/class/net/wlan0/address
- chmod 755 <Package Folder>/cache/.r.sh
- chmod 755 <Package Folder>/files/.sys.attr
- chmod 755 <Package Folder>/files/.sys.us
- chmod 755 <Package Folder>/files/prog10/.zmp
- chmod 755 <Package Folder>/files/prog11/.zmp
- chmod 755 <Package Folder>/files/prog15/.zmp
- chmod 755 <Package Folder>/files/prog16_a/r1
- chmod 755 <Package Folder>/files/prog16_b0/r1
- chmod 755 <Package Folder>/files/prog16_b1/r2
- chmod 755 <Package Folder>/files/prog16_b2/r3
- chmod 755 <Package Folder>/files/prog16_b3/r4
- chmod 755 <Package Folder>/files/prog2/.zmp
- chmod 755 <Package Folder>/files/prog4/.zmp
- chmod 755 <Package Folder>/files/prog6/.zmp
- chmod 755 <Package Folder>/files/prog8/.zmp
- chmod 755 <Package Folder>/files/prog_js/busybox
- chmod 755 <Package Folder>/files/prog_js/su2
- chmod 755 <Package Folder>/files/prog_js/xx.sh
- chmod 755 <Package Folder>/files/prog_om1/busybox
- chmod 755 <Package Folder>/files/prog_om1/r1
- chmod 755 <Package Folder>/files/prog_om1/xx.sh
- chmod 755 <Package Folder>/files/prog_om2/busybox
- chmod 755 <Package Folder>/files/prog_om2/r2
- chmod 755 <Package Folder>/files/prog_om2/xx.sh
- chmod 755 <Package Folder>/files/prog_om3/busybox
- chmod 755 <Package Folder>/files/prog_om3/r3
- chmod 755 <Package Folder>/files/prog_om3/xx.sh
- chmod 755 <Package Folder>/files/prog_om4/busybox
- chmod 755 <Package Folder>/files/prog_om4/r4
- chmod 755 <Package Folder>/files/prog_om4/xx.sh
- chmod 755 <Package Folder>/files/prog_om5/busybox
- chmod 755 <Package Folder>/files/prog_om5/r5
- chmod 755 <Package Folder>/files/prog_om5/xx.sh
- chmod 755 <Package Folder>/files/prog_om6/busybox
- chmod 755 <Package Folder>/files/prog_om6/r6
- chmod 755 <Package Folder>/files/prog_om6/xx.sh
- chmod 755 <Package Folder>/files/prog_om8/busybox
- chmod 755 <Package Folder>/files/prog_om8/r8
- chmod 755 <Package Folder>/files/prog_om8/xx.sh
- conbb od2gf04pd9
- getprop
- getprop ro.board.platform
- getprop ro.product.cpu.abi
- ls -l /system/bin/su
- ls -l <Package Folder>/files/prog10/.zmp
- ls -l <Package Folder>/files/prog11/.zmp
- ls -l <Package Folder>/files/prog15/.zmp
- ls -l <Package Folder>/files/prog16_a/r1
- ls -l <Package Folder>/files/prog16_b0/r1
- ls -l <Package Folder>/files/prog16_b1/r2
- ls -l <Package Folder>/files/prog16_b2/r3
- ls -l <Package Folder>/files/prog16_b3/r4
- ls -l <Package Folder>/files/prog2/.zmp
- ls -l <Package Folder>/files/prog4/.zmp
- ls -l <Package Folder>/files/prog6/.zmp
- ls -l <Package Folder>/files/prog8/.zmp
- ls -l <Package Folder>/files/prog_js/su2
- ps
- rm <Package Folder>/cache/.r.sh
- rm <Package Folder>/files/prog16_a
- rm <Package Folder>/files/prog16_a/a.zip
- rm <Package Folder>/files/prog16_a/killall
- rm <Package Folder>/files/prog16_a/r0
- rm <Package Folder>/files/prog16_a/r1
- rm <Package Folder>/files/prog16_b0
- rm <Package Folder>/files/prog16_b0/b.zip
- rm <Package Folder>/files/prog16_b0/r1
- rm <Package Folder>/files/prog16_b0/r2
- rm <Package Folder>/files/prog16_b0/r3
- rm <Package Folder>/files/prog16_b0/r4
- rm <Package Folder>/files/prog16_b0/r5
- rm <Package Folder>/files/prog16_b1
- rm <Package Folder>/files/prog16_b1/b.zip
- rm <Package Folder>/files/prog16_b1/r1
- rm <Package Folder>/files/prog16_b1/r2
- rm <Package Folder>/files/prog16_b1/r3
- rm <Package Folder>/files/prog16_b1/r4
- rm <Package Folder>/files/prog16_b1/r5
- rm <Package Folder>/files/prog16_b2
- rm <Package Folder>/files/prog16_b2/b.zip
- rm <Package Folder>/files/prog16_b2/r1
- rm <Package Folder>/files/prog16_b2/r2
- rm <Package Folder>/files/prog16_b2/r3
- rm <Package Folder>/files/prog16_b2/r4
- rm <Package Folder>/files/prog16_b2/r5
- rm <Package Folder>/files/prog16_b3
- rm <Package Folder>/files/prog16_b3/b.zip
- rm <Package Folder>/files/prog16_b3/r1
- rm <Package Folder>/files/prog16_b3/r2
- rm <Package Folder>/files/prog16_b3/r3
- rm <Package Folder>/files/prog16_b3/r4
- rm <Package Folder>/files/prog16_b3/r5
- rm <Package Folder>/files/prog4/.zmp
- rm <Package Folder>/files/prog_js
- rm <Package Folder>/files/prog_js/busybox
- rm <Package Folder>/files/prog_js/js.zip
- rm <Package Folder>/files/prog_js/su2
- rm <Package Folder>/files/prog_js/xx.sh
- rm <Package Folder>/files/prog_om1
- rm <Package Folder>/files/prog_om1/busybox
- rm <Package Folder>/files/prog_om1/onem.zip
- rm <Package Folder>/files/prog_om1/r1
- rm <Package Folder>/files/prog_om1/r2
- rm <Package Folder>/files/prog_om1/r3
- rm <Package Folder>/files/prog_om1/r4
- rm <Package Folder>/files/prog_om1/r5
- rm <Package Folder>/files/prog_om1/r6
- rm <Package Folder>/files/prog_om1/r8
- rm <Package Folder>/files/prog_om1/xx.sh
- rm <Package Folder>/files/prog_om2
- rm <Package Folder>/files/prog_om2/busybox
- rm <Package Folder>/files/prog_om2/onem.zip
- rm <Package Folder>/files/prog_om2/r1
- rm <Package Folder>/files/prog_om2/r2
- rm <Package Folder>/files/prog_om2/r3
- rm <Package Folder>/files/prog_om2/r4
- rm <Package Folder>/files/prog_om2/r5
- rm <Package Folder>/files/prog_om2/r6
- rm <Package Folder>/files/prog_om2/r8
- rm <Package Folder>/files/prog_om2/xx.sh
- rm <Package Folder>/files/prog_om3
- rm <Package Folder>/files/prog_om3/busybox
- rm <Package Folder>/files/prog_om3/onem.zip
- rm <Package Folder>/files/prog_om3/r1
- rm <Package Folder>/files/prog_om3/r2
- rm <Package Folder>/files/prog_om3/r3
- rm <Package Folder>/files/prog_om3/r4
- rm <Package Folder>/files/prog_om3/r5
- rm <Package Folder>/files/prog_om3/r6
- rm <Package Folder>/files/prog_om3/r8
- rm <Package Folder>/files/prog_om3/xx.sh
- rm <Package Folder>/files/prog_om4
- rm <Package Folder>/files/prog_om4/busybox
- rm <Package Folder>/files/prog_om4/onem.zip
- rm <Package Folder>/files/prog_om4/r1
- rm <Package Folder>/files/prog_om4/r2
- rm <Package Folder>/files/prog_om4/r3
- rm <Package Folder>/files/prog_om4/r4
- rm <Package Folder>/files/prog_om4/r5
- rm <Package Folder>/files/prog_om4/r6
- rm <Package Folder>/files/prog_om4/r8
- rm <Package Folder>/files/prog_om4/xx.sh
- rm <Package Folder>/files/prog_om5
- rm <Package Folder>/files/prog_om5/busybox
- rm <Package Folder>/files/prog_om5/onem.zip
- rm <Package Folder>/files/prog_om5/r1
- rm <Package Folder>/files/prog_om5/r2
- rm <Package Folder>/files/prog_om5/r3
- rm <Package Folder>/files/prog_om5/r4
- rm <Package Folder>/files/prog_om5/r5
- rm <Package Folder>/files/prog_om5/r6
- rm <Package Folder>/files/prog_om5/r8
- rm <Package Folder>/files/prog_om5/xx.sh
- rm <Package Folder>/files/prog_om6
- rm <Package Folder>/files/prog_om6/busybox
- rm <Package Folder>/files/prog_om6/onem.zip
- rm <Package Folder>/files/prog_om6/r1
- rm <Package Folder>/files/prog_om6/r2
- rm <Package Folder>/files/prog_om6/r3
- rm <Package Folder>/files/prog_om6/r4
- rm <Package Folder>/files/prog_om6/r5
- rm <Package Folder>/files/prog_om6/r6
- rm <Package Folder>/files/prog_om6/r8
- rm <Package Folder>/files/prog_om6/xx.sh
- rm <Package Folder>/files/prog_om8
- rm <Package Folder>/files/prog_om8/busybox
- rm <Package Folder>/files/prog_om8/onem.zip
- rm <Package Folder>/files/prog_om8/r1
- rm <Package Folder>/files/prog_om8/r2
- rm <Package Folder>/files/prog_om8/r3
- rm <Package Folder>/files/prog_om8/r4
- rm <Package Folder>/files/prog_om8/r5
- rm <Package Folder>/files/prog_om8/r6
- rm <Package Folder>/files/prog_om8/r8
- rm <Package Folder>/files/prog_om8/xx.sh
- sh
- sh <Package Folder>/files/prog_js/su2 HygZRm2IHTKWpp7Hll/sS0uY66xdcw== /system/bin/sh <Package Folder>/files/prog_js/xx.sh
- sh <Package Folder>/files/prog_js/su2 al1s7jBFNtn9faBmC0Jb9A9Ns1GZSg== /system/bin/sh <Package Folder>/files/prog_js/xx.sh
- sh <Package Folder>/files/prog_js/su2 f0h5zguZ9aJXbCZExMaN2kDhh6V0Uw== /system/bin/sh <Package Folder>/files/prog_js/xx.sh
- sh <Package Folder>/files/prog_om1/r1 auto
- sh <Package Folder>/files/prog_om2/r2
- sh <Package Folder>/files/prog_om3/r3
- sh <Package Folder>/files/prog_om4/r4 PFMMehxvMFk2VSFN8Aw8XGXh91UNiESr/iPn2mHZOg== 3u5ydeZkuIN7B1MIi0sjkwufUjbm /system/bin/sh
- sh <Package Folder>/files/prog_om5/r5 /system/bin/sh
- sh <Package Folder>/files/prog_om6/r6 /system/bin/sh
- sh <Package Folder>/files/prog_om8/r8
