Техническая информация
Вредоносные функции:
Загружает на исполнение код следующих детектируемых угроз:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Загружает из Интернета следующие детектируемые угрозы:
- Android.Triada.155.origin
- Android.Triada.178
- Android.Triada.178
- Android.Triada.248.origin
Сетевая активность:
Подключается к:
- 1####.####.34:19000
- 1####.####.57
- 1####.####.57:10001
- a####.####.com
- huangda####.com
- i####.####.com
- l####.####.com
Запросы HTTP GET:
- 1####.####.57/v1/order/get?phone=####&imei=####&sdk_version=####&callbac...
- 1####.####.57:10001/v1/order/get?phone=####&imei=####&sdk_version=####&c...
- a####.####.com/ando/i/mon?k=####&d=####
- huangda####.com/resource!resource?resTypes=####&appid=####&channel=####&...
- i####.####.com/ando-res/ads/black/640x270.png
Запросы HTTP POST:
- 1####.####.34:19000/v2/chis
- l####.####.com/sdk.php
Изменения в файловой системе:
Создает следующие файлы:
- <Package Folder>/EOZTzhVG.jar
- <Package Folder>/cache/####/data_0
- <Package Folder>/cache/####/data_1
- <Package Folder>/cache/####/data_2
- <Package Folder>/cache/####/data_3
- <Package Folder>/cache/####/index
- <Package Folder>/code-4260394/4-us1Ev6T_hkDTzs
- <Package Folder>/databases/####/cc.db
- <Package Folder>/databases/####/cc.db-journal
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_583aswgoahbcYjrt9O7Mew==
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_583aswgoahbcYjrt9O7Mew==-journal
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_AwxdwpDOW_nAyruy
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_AwxdwpDOW_nAyruy-journal
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_FTGqavJmo14=-journal
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_L2nTSJ1HTMiPod0g-CRfuw==
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_L2nTSJ1HTMiPod0g-CRfuw==-journal
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_h5D0_oJnmfcsGSqhv8Xw3cPHCXQ=
- <Package Folder>/databases/_EonLuEJ8RxfUnY1flL93g-l7LdD1BqB_h5D0_oJnmfcsGSqhv8Xw3cPHCXQ=-journal
- <Package Folder>/databases/webview.db-journal
- <Package Folder>/databases/webviewCookiesChromium.db-journal (deleted)
- <Package Folder>/files/####/-It1xJybLSmheOiV86n_565xnh0PO7If.new
- <Package Folder>/files/####/-Rv6j2mRef6Fo-2d93GbRw==
- <Package Folder>/files/####/-Rv6j2mRef6Fo-2d93GbRw==.new
- <Package Folder>/files/####/-VS2WzkYDZFITU6FtzXpVyskSiHMK7G9.new
- <Package Folder>/files/####/0dfd4804-5f3f-4846-bb35-e25887e05741.pic.temp
- <Package Folder>/files/####/1OVXJ8CBw5BdoTW-jYPcEdgTcJu1rs4z.new
- <Package Folder>/files/####/1tD7oktJR5STgVFJ.zip
- <Package Folder>/files/####/2BH0_7On7glhWPaLwRMWXcEP1nHlBLDs.new
- <Package Folder>/files/####/59cb92ae-4c06-4ede-9063-bf1987ca0927.pic
- <Package Folder>/files/####/6JsXMntF0asYQnwKSeTEdJXtrq4=
- <Package Folder>/files/####/7KeK2fLyEfPc_ZsGndMNILyxGsc=.new
- <Package Folder>/files/####/7f422815-0f20-4a5f-a12a-ca778cdec3ca.pic.temp
- <Package Folder>/files/####/F_3I0Ensx8Q6ifcqZuv6aw==
- <Package Folder>/files/####/MgQZ1JEiGP-1R1XOToiLGra95gY=.new
- <Package Folder>/files/####/Obf1djbuDyJBZ8c2brAQAW6BV5mCJ-d0nNnMrFdcFm0=.new
- <Package Folder>/files/####/Oxr6AKJgyzzB0bSrgh8oH-_5fZi7rw4U.new
- <Package Folder>/files/####/P5eHewY296egjEYzK7_0tKSk5Zo=.new
- <Package Folder>/files/####/QA4YosCtyo2kX6KV0CYyg5UHLtU=
- <Package Folder>/files/####/TDtLh3i1Mbls4ItYMDeSVLxc1gIYjHXW.new
- <Package Folder>/files/####/ZRRM0BQGRmA0H1Jbxk_995PcjbEE20-bhS3s4A==.new
- <Package Folder>/files/####/b4dbfe8c-d4dc-457f-ad25-dc84fee5eee2.pic.temp
- <Package Folder>/files/####/bglf-M3Bi1zNqWnH5W_6aw==
- <Package Folder>/files/####/bglf-M3Bi1zNqWnH5W_6aw==.new
- <Package Folder>/files/####/ce9cc8d3-89d9-41de-b49f-eb9c9f86a8e9.pic.temp
- <Package Folder>/files/####/cgmJRpvPkzdSn06mYmRifGCXJ8NTqInK9Jg7Bg==.new
- <Package Folder>/files/####/dXCBJLPGHloYdaJU84q7_A==.new
- <Package Folder>/files/####/data.dat.tmp
- <Package Folder>/files/####/dbc11e1f-8dd3-40a6-bb5d-b782a117ad8f.pic.temp
- <Package Folder>/files/####/dt2QvGpmiYCsfc_s1tN1ojcyW2zC_SHagR2HjQ==.new
- <Package Folder>/files/####/efed9c6e-d88d-40a1-ace5-af66c6d4cefc.pic
- <Package Folder>/files/####/f_JTsVv0nvkp7S-o
- <Package Folder>/files/####/fe7bc19f-72aa-4b08-b01a-ee785fef2324.pic.temp
- <Package Folder>/files/####/hWMC1RqhYWZraxHXr5GT9BhJtNtEN74r.new
- <Package Folder>/files/####/kV6tMw0lNJcXMw7BKXhKp77gV_5IOoBc.new
- <Package Folder>/files/####/libus.so
- <Package Folder>/files/####/ov0oCH5sfTM6jiEw-__wbCx_kdjvFVcRL_NfyDIUWfw=.new
- <Package Folder>/files/####/peZfGQZFePzDahGc.new
- <Package Folder>/files/####/runner_info.prop.new
- <Package Folder>/files/####/sbcnua_f.zip
- <Package Folder>/files/####/tpWfRDwg-JpxYwuzZX_wO8F-TOWfU6z4IzocNdgs8vA=.new
- <Package Folder>/files/####/wpU0aSPqDG2rLyEhAASqW8ZCzjg=.new
- <Package Folder>/files/####/zH25zCqTeEAwTU5_Y8LKjKBSLg6UatCJRLZaqjdIjJ4=.new
- <Package Folder>/shared_prefs/pretw.xml
- <Package Folder>/shared_prefs/twj.xml
- <Package Folder>/shared_prefs/umeng_general_config.xml
- <Package Folder>/shared_prefs/zzconfig.xml
- <SD-Card>/.armsd/####/15b2f82d-ce2d-45e7-96ce-2b7f51237c20.res
- <SD-Card>/.armsd/####/3685535a-f102-416b-b8db-9f1c13776a28.res
- <SD-Card>/.armsd/####/55d7023f-1541-4cfd-8da7-ac5f1f8f0133.res
- <SD-Card>/.armsd/####/5NCMj4FHDAiNMsrjQKob6JdxZXM=.new
- <SD-Card>/.armsd/####/7963cb6a-7b67-467e-9d3d-ad0c379202af.res
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M
- <SD-Card>/.armsd/####/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M.lk
- <SD-Card>/.armsd/####/MP8MtaBuguN9jnuSwtN1kQ==
- <SD-Card>/.armsd/####/r_pkDgN4OhnkSa0D
- <SD-Card>/.env/.uunique.new
- <SD-Card>/.twservice/####/tw
- <SD-Card>/.twservice/qshp_3002_2206.zip
- <SD-Card>/Download/channel_conf
- <SD-Card>/Download/channel_conf1
Другие:
Запускает следующие shell-скрипты:
- /data/data/lrizbrp.yibb.xvewl.qgawf/code-4260394/4-us1Ev6T_hkDTzs -p lrizbrp.yibb.xvewl.qgawf -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
- <dexopt>
- sh <Package Folder>/code-4260394/4-us1Ev6T_hkDTzs -p <Package> -c com.hoxq.lpve.uwisuq.a.a.c.b -r /storage/emulated/0/.armsd/tjfblFPob85GtAQw/I7HE1pd26tdvkjhloLWlx5UBeDOAmh6M -d /storage/emulated/0/Download/ladung
