Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 6####.####.140
- a####.####.com
- cnmon####.com
- cnmon####.com:8080
- i####.####.com
- l####.####.com
Запросы HTTP GET:
- cnmon####.com/console/upload/sdk/5b298429-89b7-4e36-88ed-20100184624c.dat
- cnmon####.com:8080/console/client/app/check/data.do?pModel=####&netType=...
- i####.####.com/ando-res/ads/black/640x270.png
Запросы HTTP POST:
- 6####.####.140/ando/v1/x/ap?app_id=####&r=####
- a####.####.com/app_logs
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/app_dex/2f54898e9086b1880aefd23e660a759f.dex
- <Package Folder>/code-7163243/HNjGxV0yAJ7dueZK
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_ILkmgFxWKLRSon4C7JolUg==
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_ILkmgFxWKLRSon4C7JolUg==-journal
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_YqAv2ozfeEc=-journal
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_ckWf0A6Q6qcZmhA5
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_ckWf0A6Q6qcZmhA5-journal
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_j347QUESd8zOaLLVGWB9rA==
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_j347QUESd8zOaLLVGWB9rA==-journal
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_sNRlE5xVqbhqB3LgvcKbFnEHjN0=
- <Package Folder>/databases/nzernl3bir35aZlhbwLsfqGWQ7WzQORV_sNRlE5xVqbhqB3LgvcKbFnEHjN0=-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/-UeUOzxRUSnl7Oo_v_RrbpUuCjYouGTn.new
- <Package Folder>/files/####/263bde14fdb5d82f8a5a85a3fd88b0da.dat
- <Package Folder>/files/####/263bde14fdb5d82f8a5a85a3fd88b0da.jar
- <Package Folder>/files/####/2f54898e9086b1880aefd23e660a759f.jar
- <Package Folder>/files/####/4Msd3Noejt_iEfKmtuOj1qH2MR9XQODc-OB0HxqP1tE=.new
- <Package Folder>/files/####/73fcQ_451TGxonyc.new
- <Package Folder>/files/####/79QsRUM_8AjBJ8oT
- <Package Folder>/files/####/809041966a0c59b55b5f3be02b341369.dat (deleted)
- <Package Folder>/files/####/809041966a0c59b55b5f3be02b341369.jar
- <Package Folder>/files/####/9c7a1d08-8bb0-4ccd-8947-7f192a0846d0.pic.temp
- <Package Folder>/files/####/A3RW_ckZ-LkI-1I2eCX4aA==.new
- <Package Folder>/files/####/Ag-cexiEYek3mILumycvf6a4xTE=.new
- <Package Folder>/files/####/BCbch6r9cjmf4lkGyEu3uso3b3w=.new
- <Package Folder>/files/####/CupyEVfD3xI13Hwd6tC9Xg==
- <Package Folder>/files/####/CupyEVfD3xI13Hwd6tC9Xg==.new
- <Package Folder>/files/####/DoFl0iYuSIWVFKtkByIXUxdA2mD2-9lK.new
- <Package Folder>/files/####/EnkkZIS_-9eSsgD8ndnH5ybG0mGxD91Q.new
- <Package Folder>/files/####/HT6m-mZTyaJiwpvkWhYB9BCtsN7MKoTz7GZTbA==.new
- <Package Folder>/files/####/NEQTkoWuaIsOPiKu-b2ey9g_URY=
- <Package Folder>/files/####/Nz2-mllHFaPVMoyESjIbv51qHhSXsa4_FzS_0Q==.new
- <Package Folder>/files/####/WCgajJwfImxwBsnOnwQPmA==.new
- <Package Folder>/files/####/YFs0J8i0yadmExqbSCuu2U296_XvrsQz
- <Package Folder>/files/####/YFs0J8i0yadmExqbSCuu2U296_XvrsQz.new
- <Package Folder>/files/####/YFs0J8i0yadmExqbSCuu2U296_XvrsQz.old (deleted)
- <Package Folder>/files/####/_98oH4_-7E0FFc9vLezX2jxt5clKDsyq6K9KmgzIszM=.new
- <Package Folder>/files/####/cO19Pl0rbRbJdeD6nqcFGKee2hprNgMe.new
- <Package Folder>/files/####/efb0e401-6197-4c04-81fe-b68796a84190.pic.temp
- <Package Folder>/files/####/ghuoaq_f.zip
- <Package Folder>/files/####/i6sQxpBNgxaACL_kZhSj75xLwYQqjzofFBE4uKhrAX4=.new
- <Package Folder>/files/####/iiwHYsutF_k4hmBRSJzKWw==
- <Package Folder>/files/####/irftj0bvnC5PXJi0TeV4jA==
- <Package Folder>/files/####/masB9SEBZBxpNh_GyhEpWiKwndF3oUTFamNmLw==.new
- <Package Folder>/files/####/nGqb8ZlVjRIDxcBc.zip
- <Package Folder>/files/####/runner_info.prop
- <Package Folder>/files/####/sRFue5yGodPJmAc-Inz-t5sop9Y=.new
- <Package Folder>/files/####/vGoe1buEZYgMLdJzIj1asCj3WlI=
- <Package Folder>/files/####/vGoe1buEZYgMLdJzIj1asCj3WlI=.new
- <Package Folder>/files/####/vMH7WKTUC9xFcCUaMRlqD535q3JWVhSK.new
- <Package Folder>/files/####/wbGLEQk93hSThT7D9XuY_QxDu7yG9FFC4mRwEJ856tg=.new
- <Package Folder>/files/####/wnuNHV-Csan2DRoihF4fYXzC_Eg=
- <Package Folder>/files/####/xQ2mKXviEoBOcIhn2cZbqEuuuQuTZpNi.new
- <Package Folder>/files/####/y0MpCiZej4N3p23qn1tT8tRFVTYxMK66.new
- <Package Folder>/files/.imprint
- <Package Folder>/files/rdata_comgznywbnz
- <Package Folder>/files/rdata_comgznywbnz.new
- <Package Folder>/files/umeng_it.cache
- <Package Folder>/shared_prefs/com.monster.pay.bean.save.SaveMatch.xml
- <Package Folder>/shared_prefs/com.monster.pay.bean.save.SaveTask.xml
- <Package Folder>/shared_prefs/config.xml
- <Package Folder>/shared_prefs/config.xml.bak
- <Package Folder>/shared_prefs/config.xml.bak (deleted)
- <Package Folder>/shared_prefs/initRoot.xml
- <Package Folder>/shared_prefs/installTime.xml
- <Package Folder>/shared_prefs/mobclick_agent_online_setting_<Package>.xml
- <Package Folder>/shared_prefs/modelBean.xml
- <Package Folder>/shared_prefs/shield.xml
- <Package Folder>/shared_prefs/shield.xml.bak
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml.bak
- <SD-Card>/.armsd/####/17e6cc30-3b03-4586-8196-1e9afa6c4a99.res
- <SD-Card>/.armsd/####/2ec025b3-b7eb-401f-b372-ccad04c3eefe.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/b137a348-c7a5-4db8-a617-b4b60db7737a.res
- <SD-Card>/.armsd/####/bb6dfa6e-9237-47d6-a243-a2befae4c372.res
- <SD-Card>/.armsd/####/e53250f6-32af-4110-9cda-511f959a3193.res
- <SD-Card>/.armsd/####/e6e3e788-f23e-45cc-bb2c-e4e35c95206a.res
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.monster/####/31.log
- <SD-Card>/cash/cash_2017-05-31_log.txt
Другие:
Запускает следующие shell-скрипты:
- /data/data/com.ghdusfi.hsjkdge/code-7163243/HNjGxV0yAJ7dueZK -p com.ghdusfi.hsjkdge -c com.gzny.wbnz.aqaraa.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-7163243/HNjGxV0yAJ7dueZK -p <Package> -c com.gzny.wbnz.aqaraa.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует специальную библиотеку для скрытия исполняемого байткода.
