Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.247.origin
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.247.origin
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.71
- 1####.####.71:9600
- 6####.####.140
- c####.####.com
- c####.####.net
- i####.####.com
- p####.####.com
Запросы HTTP GET:
- i####.####.com/a/3db355750bea842d8ee0cece950aa5ecd
Запросы HTTP POST:
- 1####.####.71/
- 1####.####.71:9600/
- 6####.####.140/ando/x/lis?app_id=####&r=####
- c####.####.com/show.aspx?Key=####
- c####.####.net/config/update
- p####.####.com/api/q/a/3db355750bea842d8ee0cece950aa5ecd
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/code-3641946/####/PgXRepe1ew0=.jar
- <Package Folder>/code-3641946/MkWOTJvnKhU6ULI3
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_2etNe7ZkJ0Tvb2JrdNWenEMMctk=
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_2etNe7ZkJ0Tvb2JrdNWenEMMctk=-journal
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_Dmk8Ym1d7gi0vA_d7EVj-A==
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_Dmk8Ym1d7gi0vA_d7EVj-A==-journal
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_VEPbuNbpFmMR6VXW
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_VEPbuNbpFmMR6VXW-journal
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_nARwfVTdxV4j1WlzFlBK_Q==
- <Package Folder>/databases/PqcpaZFHg9MVHJkPwmb-b015MrliBDjm_nARwfVTdxV4j1WlzFlBK_Q==-journal
- <Package Folder>/databases/dataeye_database_D1BF1F85D62D39BC5B1579C386E23958.db
- <Package Folder>/databases/dataeye_database_D1BF1F85D62D39BC5B1579C386E23958.db-journal
- <Package Folder>/databases/talkingdata_app.db-journal
- <Package Folder>/databases/vi_db_pay-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/files/####/-djTqAlb2DPlOF_XvRvbaw==.new
- <Package Folder>/files/####/0HbwttkSuBxp99NW
- <Package Folder>/files/####/1FGA_eDtnSqKj-22WIbJQIZE0fekqCTR.new
- <Package Folder>/files/####/1spUqjm6lPixu69gfTUSi3fMEtcOVlCM.new
- <Package Folder>/files/####/2o8zNlYD5aXOunlXjFzLJhOF0aQ=
- <Package Folder>/files/####/3ApUEvZ0Kwk7pcb8G-qqzZFmdXM=
- <Package Folder>/files/####/3ApUEvZ0Kwk7pcb8G-qqzZFmdXM=.new
- <Package Folder>/files/####/3ApUEvZ0Kwk7pcb8G-qqzZFmdXM=.old (deleted)
- <Package Folder>/files/####/3l98kfpbI6pVDfo8tlc0ZA==
- <Package Folder>/files/####/3l98kfpbI6pVDfo8tlc0ZA==.new
- <Package Folder>/files/####/5AxP6Cg4xt9K-4HUnzxehgNIgbUnkZF8.new
- <Package Folder>/files/####/5tcSD-vCB0e1jcdha86sv_rjQJF1vrU7JHVWfg==.new
- <Package Folder>/files/####/Dv8t5tcDnAGksIZY.new
- <Package Folder>/files/####/IarawylCij52NLhqa7dz26bY4m4=.new
- <Package Folder>/files/####/L4i4lLs-uPBPDNVYsw6idqVpkYJAQbLd.new
- <Package Folder>/files/####/Lnre0a_8ZdIE1lJrn4-6GGvEnAM=
- <Package Folder>/files/####/Lnre0a_8ZdIE1lJrn4-6GGvEnAM=.new
- <Package Folder>/files/####/T3sX34Ipxcp7Bv3SHoOamWMiSUU=
- <Package Folder>/files/####/TanRTMDMuZD58GtPolKFIJbiBGHyTr_HI2kC-3vc25M=.new
- <Package Folder>/files/####/U1lfakGSagqGjcW9b6K8q8DRPLiatUCCeZfyww==.new
- <Package Folder>/files/####/VfOeQsO8qdQc_Yy9-K7U6AJjaXR1bNwDX2GUEjoT3gE=.new
- <Package Folder>/files/####/XCoxGTd5Em9klmM6FliQUjLJmC3RcjkQ.new
- <Package Folder>/files/####/_lAUQPW68KQdED1K.zip
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/duPXL7Jfu6tHjIEwRUbyy16UfaFREAXhX4UA_A==.new
- <Package Folder>/files/####/fLlxGx4ca5iGXJE7M6mCEg==
- <Package Folder>/files/####/fLlxGx4ca5iGXJE7M6mCEg==.new
- <Package Folder>/files/####/fZVU63LloXf_SVzFDj4mg9g3YB3No_jH.new
- <Package Folder>/files/####/fbV52fnjNxaJfsvlJdLYBg==
- <Package Folder>/files/####/gDcb-CHTwxFpWGvdK_kc-g==
- <Package Folder>/files/####/gDcb-CHTwxFpWGvdK_kc-g==.new
- <Package Folder>/files/####/gDcb-CHTwxFpWGvdK_kc-g==.old (deleted)
- <Package Folder>/files/####/mGsftcW4QPxPlG4jtBO17opX5YU6YHo6pBA6QZxcAQ4=.new
- <Package Folder>/files/####/mbUt5k1x2tcq_x6PMUJjNBvobf8=.new
- <Package Folder>/files/####/pEUzletwiHPnG9lPA_nvhefkVfLdRy6v.new
- <Package Folder>/files/####/qejbbw_f.zip
- <Package Folder>/files/####/runner_info.prop
- <Package Folder>/files/####/tmgzjq9MW2rbNDxc7kLspulpDbZEf_2c8xHXww==.new
- <Package Folder>/files/libexec.so
- <Package Folder>/files/paylib.jar
- <Package Folder>/files/rdata_comnmcdwejr.new
- <Package Folder>/files/talkingdata_app_process_preferences_file
- <Package Folder>/files/talkingdata_app_version_preferences_file
- <Package Folder>/shared_prefs/3db355750bea842d8ee0cece950aa5ecd|account_file.xml
- <Package Folder>/shared_prefs/<Package>_preferences.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml
- <Package Folder>/shared_prefs/TD_app_pefercen_profile.xml.bak
- <Package Folder>/shared_prefs/dc.D1BF1F85D62D39BC5B1579C386E23958.preferences.xml
- <Package Folder>/shared_prefs/dc.D1BF1F85D62D39BC5B1579C386E23958.preferences.xml.bak
- <Package Folder>/shared_prefs/pref_file.xml
- <Package Folder>/shared_prefs/pref_file.xml.bak
- <Package Folder>/shared_prefs/td_pefercen_profile.xml
- <Package Folder>/shared_prefs/td_pefercen_profile.xml.bak
- <Package Folder>/shared_prefs/tdid.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/unknown.xml
- <SD-Card>/.SystemService/####/uid
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.system_temp/.cfg
- <SD-Card>/.tcookieid
Другие:
Запускает следующие shell-скрипты:
- /data/data/qmzoyg.ykeafe.ivftbx.yavaer/code-3641946/MkWOTJvnKhU6ULI3 -p qmzoyg.ykeafe.ivftbx.yavaer -c com.nmcd.wejr.wdebg.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- /system/bin/sh
- <dexopt>
- <error:2>
- cat /sys/block/mmcblk0/device/cid
- getprop ro.product.cpu.abi
- ls -l /sbin/su
- ls -l /system/bin/su
- ls -l /system/sbin/su
- ls -l /system/xbin/su
- ls -l /vendor/bin/su
- sh <Package Folder>/code-3641946/MkWOTJvnKhU6ULI3 -p <Package> -c com.nmcd.wejr.wdebg.a.a.d.c -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
Использует специальную библиотеку для скрытия исполняемого байткода.
